From e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sun, 24 Mar 2024 19:05:39 +0100 Subject: Add wireguard and more updates --- nixos/modules/desktop.nix | 1 + nixos/modules/develop.nix | 11 +++-- nixos/modules/generic.nix | 14 +++++- nixos/modules/home-assistant.nix | 20 ++++----- nixos/modules/hosts.nix | 5 +-- nixos/modules/router.nix | 13 +++--- nixos/modules/wireguad.nix | 96 +++++++++++++++++++++++++++++++++++++--- 7 files changed, 126 insertions(+), 34 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index d0cc9d5..b145929 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -264,6 +264,7 @@ in { }; documentation = { + enable = true; man.enable = true; info.enable = true; }; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 2daead8..e5510c6 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -65,6 +65,7 @@ in { (python3.withPackages (pypkgs: with pypkgs; [ ipython + python-lsp-server pytest pytest-html @@ -151,6 +152,10 @@ in { programs.wireshark.package = pkgs.wireshark; documentation = { + nixos = { + enable = true; + includeAllModules = true; + }; dev.enable = true; doc.enable = true; }; @@ -185,11 +190,5 @@ in { "develop" "libvirtd" ]; - - # Allow using latest git version from registry - nixpkgs.flake = { - setNixPath = false; - setFlakeRegistry = false; - }; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 5c6e2fe..e4ac094 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -43,7 +43,13 @@ in { services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); systemd.oomd.enable = false; - nixpkgs.config.allowUnfree = true; + nixpkgs = { + config.allowUnfree = true; + flake = { + setNixPath = false; + setFlakeRegistry = false; + }; + }; environment.systemPackages = with pkgs; [ git # We need git for this repository to even work @@ -201,5 +207,11 @@ in { ''; programs.fuse.userAllowOther = true; + + documentation = { + enable = mkDefault false; + doc.enable = mkDefault false; + nixos.enable = mkDefault false; + }; }; } diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index 267f725..769b1c7 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -5,13 +5,12 @@ ... }: let inherit (lib) mkIf mkEnableOption; - cnf = config.cynerd.home-assistant; in { options = { cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown"; }; - config = mkIf cnf { + config = mkIf config.cynerd.home-assistant { services.mosquitto = { enable = true; listeners = [ @@ -52,16 +51,13 @@ in { 1883 # Mosquitto ]; - services.bigclown = { - gateway = { - enable = true; - device = "/dev/ttyUSB0"; - environmentFile = "/run/secrets/bigclown.env"; - baseTopicPrefix = "bigclown/"; - mqtt = { - username = "bigclown"; - password = "@PASS_MQTT@"; - }; + services.bcg = { + enable = true; + device = "/dev/ttyUSB0"; + baseTopicPrefix = "bigclown/"; + mqtt = { + username = "bigclown"; + keyfile = "/run/secrets/mqtt-bigclown.pass"; }; }; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index b9a40a6..054098d 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -9,6 +9,7 @@ staticZoneOption = mkOption { type = types.attrsOf types.str; readOnly = true; + description = "The mapping of zone hosts to their IP"; }; in { options = { @@ -29,7 +30,6 @@ in { cynerd.hosts = { vpn = { "lipwig" = "10.8.0.1"; - "dean" = "10.8.0.4"; # Portable "binky" = "10.8.0.2"; "albert" = "10.8.0.3"; @@ -81,7 +81,6 @@ in { "${cnf.vpn.lipwig}" = ["lipwig.vpn"]; "${cnf.vpn.android}" = ["android.vpn"]; "${cnf.vpn.albert}" = ["albert.vpn"]; - "${cnf.vpn.dean}" = ["dean" "dean.vpn"]; "${cnf.vpn.binky}" = ["binky.vpn"]; "${cnf.vpn.spt-omnia}" = ["spt.vpn"]; "${cnf.vpn.adm-omnia}" = ["adm.vpn"]; @@ -91,7 +90,7 @@ in { "${cnf.wg.android}" = ["android.wg"]; "${cnf.wg.spt-omnia}" = ["spt.wg"]; "${cnf.wg.adm-omnia}" = ["adm.wg"]; - "${cnf.wg.dean}" = ["dean.wg"]; + "${cnf.wg.dean}" = ["dean" "dean.wg"]; # Spt "${cnf.spt.omnia}" = ["omnia.spt"]; "${cnf.spt.mox}" = ["mox.spt"]; diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index ed634b1..3002d9b 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -54,10 +54,9 @@ in { firewall = { logRefusedConnections = false; interfaces = { - "home" = {allowedUDPPorts = [67 68];}; - "guest" = {allowedUDPPorts = [67 68];}; + "home" = {allowedUDPPorts = [53 67 68];}; + "guest" = {allowedUDPPorts = [53 67 68];}; }; - rejectPackets = true; filterForward = true; }; nat = { @@ -119,7 +118,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "${cnf.lanIP}"; }; dhcpServerStaticLeases = mapAttrsToList (n: v: { @@ -150,7 +149,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "192.168.1.1"; }; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; @@ -166,6 +165,10 @@ in { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=${cnf.lanIP} + DNSStubListenerExtra=192.168.1.1 + ''; }; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index 67bd8d5..d96fc9e 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -1,18 +1,100 @@ { config, lib, + pkgs, ... }: let - inherit (lib) mkEnableOption mkIf; - cnf = config.cynerd.wireguard; + inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = { + "lipwig" = "cynerd.cz"; + "spt-omnia" = "spt.cynerd.cz"; + "adm-omnia" = "adm.cynerd.cz"; + }; + is_endpoint = endpoints ? "${hostName}"; in { options = { - cynerd.wireguard = { - enable = mkEnableOption "Enable Wireguard"; - }; + cynerd.wireguard = mkEnableOption "Enable Wireguard"; }; - config = - mkIf cnf.enable { + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.lipwig}:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.spt-omnia}:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + #{ + # wireguardPeerConfig = + # { + # Endpoint = "${endpoints.adm-omnia}:51820"; + # AllowedIPs = [ + # "${config.cynerd.hosts.wg.adm-omnia}/32" + # "10.8.3.0/24" + # ]; + # PublicKey = config.secrets.wireguardPubs.adm-omnia; + # } + # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + #} + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + wireguardPeerConfig = { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }; + }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPForward = is_endpoint; + }; + routes = + (optional (hostName != "spt-omnia") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + }; + }) + ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + }; + }); + }; }; + networking.firewall.allowedUDPPorts = [51820]; + }; } -- cgit v1.2.3