From e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sun, 24 Mar 2024 19:05:39 +0100 Subject: Add wireguard and more updates --- flake.lock | 198 ++++++++++++++---------------------- flake.nix | 16 ++- nixos/configurations/binky.nix | 24 ++++- nixos/configurations/dean.nix | 45 ++++---- nixos/configurations/lipwig.nix | 18 +++- nixos/configurations/spt-omnia.nix | 6 +- nixos/configurations/spt-omniax.nix | 51 ---------- nixos/modules/desktop.nix | 1 + nixos/modules/develop.nix | 11 +- nixos/modules/generic.nix | 14 ++- nixos/modules/home-assistant.nix | 20 ++-- nixos/modules/hosts.nix | 5 +- nixos/modules/router.nix | 13 ++- nixos/modules/wireguad.nix | 96 +++++++++++++++-- 14 files changed, 275 insertions(+), 243 deletions(-) delete mode 100644 nixos/configurations/spt-omniax.nix diff --git a/flake.lock b/flake.lock index f439301..2bcba70 100644 --- a/flake.lock +++ b/flake.lock @@ -60,38 +60,7 @@ "type": "indirect" } }, - "flake-utils_10": { - "inputs": { - "systems": "systems_9" - }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, "flake-utils_2": { - "locked": { - "lastModified": 1678901627, - "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "flake-utils_3": { "inputs": { "systems": "systems_3" }, @@ -108,7 +77,7 @@ "type": "indirect" } }, - "flake-utils_4": { + "flake-utils_3": { "inputs": { "systems": "systems_4" }, @@ -125,7 +94,7 @@ "type": "indirect" } }, - "flake-utils_5": { + "flake-utils_4": { "locked": { "lastModified": 1678901627, "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", @@ -139,7 +108,7 @@ "type": "indirect" } }, - "flake-utils_6": { + "flake-utils_5": { "inputs": { "systems": "systems_5" }, @@ -156,7 +125,7 @@ "type": "indirect" } }, - "flake-utils_7": { + "flake-utils_6": { "inputs": { "systems": "systems_6" }, @@ -173,7 +142,7 @@ "type": "indirect" } }, - "flake-utils_8": { + "flake-utils_7": { "inputs": { "systems": "systems_7" }, @@ -190,7 +159,7 @@ "type": "indirect" } }, - "flake-utils_9": { + "flake-utils_8": { "inputs": { "systems": "systems_8" }, @@ -207,6 +176,23 @@ "type": "indirect" } }, + "flake-utils_9": { + "inputs": { + "systems": "systems_9" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -230,8 +216,8 @@ }, "libshv": { "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs": "nixpkgs_8" + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1705505951, @@ -249,36 +235,17 @@ "url": "https://github.com/silicon-heaven/libshv.git" } }, - "nixbigclown": { + "nixdeploy": { "inputs": { "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1680946769, - "narHash": "sha256-hz9aaa1CqCoSwS9khk+++e80+zTqs7s1VYw0QioTk1g=", - "owner": "cynerd", - "repo": "nixbigclown", - "rev": "22531d43e5e104bf30ddcee77d933e1468748c83", - "type": "github" - }, - "original": { - "owner": "cynerd", - "repo": "nixbigclown", - "type": "github" - } - }, - "nixdeploy": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1710150065, - "narHash": "sha256-o9B/i2uvEsZWvivDBsstffSUFE+pDcMeskWAXTnmAvA=", + "lastModified": 1710927472, + "narHash": "sha256-aXzoPTvHjMiAp+ZXKt+oxOgw3MlY4JechopKa+WzPjQ=", "owner": "cynerd", "repo": "nixdeploy", - "rev": "6e251cee712de2de91a5bc28d32702111a95848f", + "rev": "5c9ca8950cdba970cca3964780205b91d009b3f7", "type": "gitlab" }, "original": { @@ -289,11 +256,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1710123225, - "narHash": "sha256-j3oWlxRZxB7cFsgEntpH3rosjFHRkAo/dhX9H3OfxtY=", + "lastModified": 1710783728, + "narHash": "sha256-eIsfu3c9JUBgm3cURSKTXLEI9Dlk1azo+MWKZVqrmkc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ad2fd7b978d5e462048729a6c635c45d3d33c9ba", + "rev": "1e679b9a9970780cd5d4dfe755a74a8f96d33388", "type": "github" }, "original": { @@ -318,20 +285,6 @@ } }, "nixpkgs_10": { - "locked": { - "lastModified": 1682109806, - "narHash": "sha256-d9g7RKNShMLboTWwukM+RObDWWpHKaqTYXB48clBWXI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2362848adf8def2866fabbffc50462e929d7fffb", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_11": { "locked": { "lastModified": 1707877513, "narHash": "sha256-sp0w2apswd3wv0sAEF7StOGHkns3XUQaO5erhWFZWXk=", @@ -346,20 +299,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1679319606, - "narHash": "sha256-wyEMIZB6BnsmJWInEgDZu66hXVMGJEZFl5uDsn27f9M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8bc6945b1224a1cfa679d6801580b1054dba1a5c", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1708469763, "narHash": "sha256-wCJljz6nQdCAnfTx+3i4fWteB3TnVEq95z6d6LhwVKs=", @@ -373,13 +312,13 @@ "type": "indirect" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { - "lastModified": 1710474764, - "narHash": "sha256-M43DDaPLL04HBLfh7XBZ8ROiujeL9IvnWsEKUnG2/yU=", + "lastModified": 1710861126, + "narHash": "sha256-q8fiy9mgUvTAt2OMjiVpQgDlykyGury9Fpsm0jekBfY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2bcf18c64c66b95e17d9c8755104d33bc5103c63", + "rev": "2dcadb7087e38314cebb15af65f8f2a15d2940cc", "type": "github" }, "original": { @@ -388,7 +327,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1710252211, "narHash": "sha256-hQChQpB4LDBaSrNlD6DPLhU9T+R6oyxMCg2V+S7Y1jg=", @@ -402,7 +341,7 @@ "type": "indirect" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1678875422, "narHash": "sha256-T3o6NcQPwXjxJMn2shz86Chch4ljXgZn746c2caGxd8=", @@ -416,7 +355,7 @@ "type": "indirect" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1705566941, "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=", @@ -430,7 +369,7 @@ "type": "indirect" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1694948089, "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", @@ -444,7 +383,7 @@ "type": "indirect" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1705566941, "narHash": "sha256-CLNtVRDA8eUPk+bxsCCZtRO0Cp+SpHdn1nNOLoFypLs=", @@ -458,17 +397,31 @@ "type": "indirect" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1682109806, + "narHash": "sha256-d9g7RKNShMLboTWwukM+RObDWWpHKaqTYXB48clBWXI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2362848adf8def2866fabbffc50462e929d7fffb", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "nixturris": { "inputs": { - "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_5" + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1710278775, - "narHash": "sha256-4kwVKv2Wrus6kNka/XtcrpYx1hemORAiv0wchoMxEvM=", + "lastModified": 1710528104, + "narHash": "sha256-fseLCm3s9PCNzdSNlNjgh3gS/BfeCOIAac/xyUEN0yo=", "owner": "cynerd", "repo": "nixturris", - "rev": "b6f0fe38003fe22c2a0b94ac660e6063bb6f67b9", + "rev": "8c8595ac5fda5d1ab8ae6416938544298e317640", "type": "gitlab" }, "original": { @@ -479,11 +432,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1710423555, - "narHash": "sha256-m1f4Ifjn80UHMkyXLdMDjtjG2dnaO974USOpCjGOKe8=", + "lastModified": 1710863858, + "narHash": "sha256-6qKqa5cdchvGSBGigs/K4VWVfITGdMudrKYw2Sc79wo=", "ref": "refs/heads/master", - "rev": "ca40867b2d24aebc3f34c01012eda732afb4938b", - "revCount": 95, + "rev": "0306d300b34e6221230bb7886f077bb78997da3a", + "revCount": 101, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -494,9 +447,9 @@ }, "pyshv": { "inputs": { - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_6", "libshv": "libshv", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1705600354, @@ -516,10 +469,9 @@ "inputs": { "agenix": "agenix", "flake-utils": "flake-utils", - "nixbigclown": "nixbigclown", "nixdeploy": "nixdeploy", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "nixturris": "nixturris", "personal-secret": "personal-secret", "shellrc": "shellrc", @@ -531,8 +483,8 @@ }, "shellrc": { "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_6" + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1710324061, @@ -550,8 +502,8 @@ }, "shvcli": { "inputs": { - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_7", + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_6", "pyshv": "pyshv" }, "locked": { @@ -570,8 +522,8 @@ }, "shvspy": { "inputs": { - "flake-utils": "flake-utils_9", - "nixpkgs": "nixpkgs_10" + "flake-utils": "flake-utils_8", + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1709892386, @@ -726,8 +678,8 @@ }, "usbkey": { "inputs": { - "flake-utils": "flake-utils_10", - "nixpkgs": "nixpkgs_11" + "flake-utils": "flake-utils_9", + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1707940956, diff --git a/flake.nix b/flake.nix index 945f722..58dc86b 100644 --- a/flake.nix +++ b/flake.nix @@ -15,7 +15,6 @@ usbkey.url = "gitlab:cynerd/usbkey"; nixturris.url = "gitlab:cynerd/nixturris"; - nixbigclown.url = "github:cynerd/nixbigclown"; vpsadminos.url = "github:vpsfreecz/vpsadminos"; }; @@ -31,11 +30,10 @@ shvcli, usbkey, nixturris, - nixbigclown, ... }: let inherit (flake-utils.lib) eachDefaultSystem filterPackages; - inherit (nixpkgs.lib) attrValues; + inherit (nixpkgs.lib) attrValues mapAttrs' nameValuePair filterAttrs; revision = self.shortRev or self.dirtyShortRev or "unknown"; in { @@ -62,7 +60,6 @@ imports = attrValues modules ++ [ - nixbigclown.nixosModules.default nixdeploy.nixosModules.default nixturris.nixosModules.default personal-secret.nixosModules.default @@ -82,7 +79,16 @@ // eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages."${system}".extend self.overlays.default; in { - packages.default = pkgs.nixdeploy; + packages = + {default = pkgs.nixdeploy;} + // mapAttrs' (n: v: let + os = + if v.config.nixpkgs.hostPlatform.system == system + then v + else (v.extendModules {modules = [{nixpkgs.buildPlatform.system = system;}];}); + in + nameValuePair "tarball-${n}" os.config.system.build.tarball) + (filterAttrs (_: v: v.config.system.build ? tarball) self.nixosConfigurations); legacyPackages = pkgs; devShells = filterPackages system (import ./devShells pkgs); formatter = pkgs.alejandra; diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index c51f95b..bdfa47e 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -14,10 +14,8 @@ in { }; wifiClient = true; develop = true; - openvpn = { - oldpersonal = true; - elektroline = true; - }; + wireguard = true; + openvpn.elektroline = true; }; boot = { @@ -56,6 +54,24 @@ in { fileSystems = ["/"]; }; + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + networks = { + "dhcp" = { + matchConfig.Name = "enp2s0f0 enp5s0f3u1u1 wlp3s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; + wait-online.enable = false; + }; + services.syncthing = { enable = true; user = mkDefault "cynerd"; diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index b91083c..44feaea 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,35 +1,38 @@ {pkgs, ...}: { - nixpkgs.hostPlatform.system = "aarch64-linux"; + turris.board = "mox"; + deploy.enable = true; cynerd = { - openvpn = { - oldpersonal = true; - }; + wireguard = true; monitoring.speedtest = true; }; networking = { - bridges = { - brlan = { - interfaces = [ - "eth0" - "lan1" - "lan2" - "lan3" - "lan4" - ]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + netdevs."brlab".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + }; + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; }; }; - dhcpcd.allowInterfaces = ["brlan"]; + # TODO investigate why it doesn't work + wait-online.enable = false; }; - swapDevices = [ - { - device = "/var/swap"; - priority = 1; - } - ]; - environment.systemPackages = with pkgs; [ #openocd tio diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index c484541..0eefe5f 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -19,6 +19,7 @@ enable = false; baseDir = "/nas"; }; + wireguard = true; openvpn.oldpersonal = true; }; @@ -29,10 +30,21 @@ fsType = "nfs"; }; - networking.firewall = { - allowedTCPPorts = [80 443]; - allowedUDPPorts = [1194]; + networking = { + useNetworkd = true; + useDHCP = false; + nftables.enable = true; + firewall = { + allowedTCPPorts = [80 443]; + allowedUDPPorts = [1194]; + filterForward = true; + extraForwardRules = '' + iifname {"wg", "personalvpn"} oifname {"wg", "personalvpn"} accept + ''; + }; }; + systemd.network.wait-online.enable = false; + systemd.services.networking-setup.wantedBy = ["network-online.target"]; # Web ###################################################################### services.nginx = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index ca4d211..8456368 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -37,12 +37,13 @@ in { channel = 36; }; }; + wireguard = true; openvpn.oldpersonal = true; monitoring.speedtest = true; }; services.journald.extraConfig = '' - SystemMaxUse=512M + SystemMaxUse=8G ''; environment = { @@ -136,6 +137,7 @@ in { IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; }; + dhcpV6Config.PrefixDelegationHint = "::/56"; dhcpPrefixDelegationConfig = { UplinkInterface = ":self"; SubnetId = 0; @@ -179,7 +181,7 @@ in { # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept + iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept ''; services.syncthing = { diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix deleted file mode 100644 index 4f9e0e0..0000000 --- a/nixos/configurations/spt-omniax.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - turris.board = "omnia"; - - cynerd = { - router = { - enable = true; - wan = "end2"; - lanIP = "192.168.2.1"; - }; - wifiAP.spt = { - enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; - }; - monitoring.speedtest = true; - }; - - networking.useDHCP = false; - systemd.network = { - networks = { - "end2" = { - matchConfig.Name = "end2"; - networkConfig = { - BindCarrier = "end2"; - DHCP = "yes"; - IPv6AcceptRA = "yes"; - DHCPPrefixDelegation = "yes"; - }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; - }; - linkConfig.RequiredForOnline = "routable"; - }; - "lan-brlan" = { - matchConfig.Name = "lan*"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - {bridgeVLANConfig.VLAN = 2;} - ]; - }; - }; - }; -} diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index d0cc9d5..b145929 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -264,6 +264,7 @@ in { }; documentation = { + enable = true; man.enable = true; info.enable = true; }; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 2daead8..e5510c6 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -65,6 +65,7 @@ in { (python3.withPackages (pypkgs: with pypkgs; [ ipython + python-lsp-server pytest pytest-html @@ -151,6 +152,10 @@ in { programs.wireshark.package = pkgs.wireshark; documentation = { + nixos = { + enable = true; + includeAllModules = true; + }; dev.enable = true; doc.enable = true; }; @@ -185,11 +190,5 @@ in { "develop" "libvirtd" ]; - - # Allow using latest git version from registry - nixpkgs.flake = { - setNixPath = false; - setFlakeRegistry = false; - }; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 5c6e2fe..e4ac094 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -43,7 +43,13 @@ in { services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); systemd.oomd.enable = false; - nixpkgs.config.allowUnfree = true; + nixpkgs = { + config.allowUnfree = true; + flake = { + setNixPath = false; + setFlakeRegistry = false; + }; + }; environment.systemPackages = with pkgs; [ git # We need git for this repository to even work @@ -201,5 +207,11 @@ in { ''; programs.fuse.userAllowOther = true; + + documentation = { + enable = mkDefault false; + doc.enable = mkDefault false; + nixos.enable = mkDefault false; + }; }; } diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index 267f725..769b1c7 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -5,13 +5,12 @@ ... }: let inherit (lib) mkIf mkEnableOption; - cnf = config.cynerd.home-assistant; in { options = { cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown"; }; - config = mkIf cnf { + config = mkIf config.cynerd.home-assistant { services.mosquitto = { enable = true; listeners = [ @@ -52,16 +51,13 @@ in { 1883 # Mosquitto ]; - services.bigclown = { - gateway = { - enable = true; - device = "/dev/ttyUSB0"; - environmentFile = "/run/secrets/bigclown.env"; - baseTopicPrefix = "bigclown/"; - mqtt = { - username = "bigclown"; - password = "@PASS_MQTT@"; - }; + services.bcg = { + enable = true; + device = "/dev/ttyUSB0"; + baseTopicPrefix = "bigclown/"; + mqtt = { + username = "bigclown"; + keyfile = "/run/secrets/mqtt-bigclown.pass"; }; }; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index b9a40a6..054098d 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -9,6 +9,7 @@ staticZoneOption = mkOption { type = types.attrsOf types.str; readOnly = true; + description = "The mapping of zone hosts to their IP"; }; in { options = { @@ -29,7 +30,6 @@ in { cynerd.hosts = { vpn = { "lipwig" = "10.8.0.1"; - "dean" = "10.8.0.4"; # Portable "binky" = "10.8.0.2"; "albert" = "10.8.0.3"; @@ -81,7 +81,6 @@ in { "${cnf.vpn.lipwig}" = ["lipwig.vpn"]; "${cnf.vpn.android}" = ["android.vpn"]; "${cnf.vpn.albert}" = ["albert.vpn"]; - "${cnf.vpn.dean}" = ["dean" "dean.vpn"]; "${cnf.vpn.binky}" = ["binky.vpn"]; "${cnf.vpn.spt-omnia}" = ["spt.vpn"]; "${cnf.vpn.adm-omnia}" = ["adm.vpn"]; @@ -91,7 +90,7 @@ in { "${cnf.wg.android}" = ["android.wg"]; "${cnf.wg.spt-omnia}" = ["spt.wg"]; "${cnf.wg.adm-omnia}" = ["adm.wg"]; - "${cnf.wg.dean}" = ["dean.wg"]; + "${cnf.wg.dean}" = ["dean" "dean.wg"]; # Spt "${cnf.spt.omnia}" = ["omnia.spt"]; "${cnf.spt.mox}" = ["mox.spt"]; diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index ed634b1..3002d9b 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -54,10 +54,9 @@ in { firewall = { logRefusedConnections = false; interfaces = { - "home" = {allowedUDPPorts = [67 68];}; - "guest" = {allowedUDPPorts = [67 68];}; + "home" = {allowedUDPPorts = [53 67 68];}; + "guest" = {allowedUDPPorts = [53 67 68];}; }; - rejectPackets = true; filterForward = true; }; nat = { @@ -119,7 +118,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "${cnf.lanIP}"; }; dhcpServerStaticLeases = mapAttrsToList (n: v: { @@ -150,7 +149,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "192.168.1.1"; }; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; @@ -166,6 +165,10 @@ in { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=${cnf.lanIP} + DNSStubListenerExtra=192.168.1.1 + ''; }; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index 67bd8d5..d96fc9e 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -1,18 +1,100 @@ { config, lib, + pkgs, ... }: let - inherit (lib) mkEnableOption mkIf; - cnf = config.cynerd.wireguard; + inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = { + "lipwig" = "cynerd.cz"; + "spt-omnia" = "spt.cynerd.cz"; + "adm-omnia" = "adm.cynerd.cz"; + }; + is_endpoint = endpoints ? "${hostName}"; in { options = { - cynerd.wireguard = { - enable = mkEnableOption "Enable Wireguard"; - }; + cynerd.wireguard = mkEnableOption "Enable Wireguard"; }; - config = - mkIf cnf.enable { + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.lipwig}:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.spt-omnia}:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + #{ + # wireguardPeerConfig = + # { + # Endpoint = "${endpoints.adm-omnia}:51820"; + # AllowedIPs = [ + # "${config.cynerd.hosts.wg.adm-omnia}/32" + # "10.8.3.0/24" + # ]; + # PublicKey = config.secrets.wireguardPubs.adm-omnia; + # } + # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + #} + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + wireguardPeerConfig = { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }; + }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPForward = is_endpoint; + }; + routes = + (optional (hostName != "spt-omnia") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + }; + }) + ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + }; + }); + }; }; + networking.firewall.allowedUDPPorts = [51820]; + }; } -- cgit v1.2.3