From e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sun, 24 Mar 2024 19:05:39 +0100 Subject: Add wireguard and more updates --- nixos/configurations/binky.nix | 24 ++++++++-- nixos/configurations/dean.nix | 45 +++++++++-------- nixos/configurations/lipwig.nix | 18 +++++-- nixos/configurations/spt-omnia.nix | 6 ++- nixos/configurations/spt-omniax.nix | 51 -------------------- nixos/modules/desktop.nix | 1 + nixos/modules/develop.nix | 11 ++--- nixos/modules/generic.nix | 14 +++++- nixos/modules/home-assistant.nix | 20 ++++---- nixos/modules/hosts.nix | 5 +- nixos/modules/router.nix | 13 +++-- nixos/modules/wireguad.nix | 96 ++++++++++++++++++++++++++++++++++--- 12 files changed, 189 insertions(+), 115 deletions(-) delete mode 100644 nixos/configurations/spt-omniax.nix (limited to 'nixos') diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix index c51f95b..bdfa47e 100644 --- a/nixos/configurations/binky.nix +++ b/nixos/configurations/binky.nix @@ -14,10 +14,8 @@ in { }; wifiClient = true; develop = true; - openvpn = { - oldpersonal = true; - elektroline = true; - }; + wireguard = true; + openvpn.elektroline = true; }; boot = { @@ -56,6 +54,24 @@ in { fileSystems = ["/"]; }; + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + networks = { + "dhcp" = { + matchConfig.Name = "enp2s0f0 enp5s0f3u1u1 wlp3s0"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; + wait-online.enable = false; + }; + services.syncthing = { enable = true; user = mkDefault "cynerd"; diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix index b91083c..44feaea 100644 --- a/nixos/configurations/dean.nix +++ b/nixos/configurations/dean.nix @@ -1,35 +1,38 @@ {pkgs, ...}: { - nixpkgs.hostPlatform.system = "aarch64-linux"; + turris.board = "mox"; + deploy.enable = true; cynerd = { - openvpn = { - oldpersonal = true; - }; + wireguard = true; monitoring.speedtest = true; }; networking = { - bridges = { - brlan = { - interfaces = [ - "eth0" - "lan1" - "lan2" - "lan3" - "lan4" - ]; + useNetworkd = true; + useDHCP = false; + }; + systemd.network = { + netdevs."brlab".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + networks = { + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = "yes"; + }; + }; + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; }; }; - dhcpcd.allowInterfaces = ["brlan"]; + # TODO investigate why it doesn't work + wait-online.enable = false; }; - swapDevices = [ - { - device = "/var/swap"; - priority = 1; - } - ]; - environment.systemPackages = with pkgs; [ #openocd tio diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix index c484541..0eefe5f 100644 --- a/nixos/configurations/lipwig.nix +++ b/nixos/configurations/lipwig.nix @@ -19,6 +19,7 @@ enable = false; baseDir = "/nas"; }; + wireguard = true; openvpn.oldpersonal = true; }; @@ -29,10 +30,21 @@ fsType = "nfs"; }; - networking.firewall = { - allowedTCPPorts = [80 443]; - allowedUDPPorts = [1194]; + networking = { + useNetworkd = true; + useDHCP = false; + nftables.enable = true; + firewall = { + allowedTCPPorts = [80 443]; + allowedUDPPorts = [1194]; + filterForward = true; + extraForwardRules = '' + iifname {"wg", "personalvpn"} oifname {"wg", "personalvpn"} accept + ''; + }; }; + systemd.network.wait-online.enable = false; + systemd.services.networking-setup.wantedBy = ["network-online.target"]; # Web ###################################################################### services.nginx = { diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix index ca4d211..8456368 100644 --- a/nixos/configurations/spt-omnia.nix +++ b/nixos/configurations/spt-omnia.nix @@ -37,12 +37,13 @@ in { channel = 36; }; }; + wireguard = true; openvpn.oldpersonal = true; monitoring.speedtest = true; }; services.journald.extraConfig = '' - SystemMaxUse=512M + SystemMaxUse=8G ''; environment = { @@ -136,6 +137,7 @@ in { IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; }; + dhcpV6Config.PrefixDelegationHint = "::/56"; dhcpPrefixDelegationConfig = { UplinkInterface = ":self"; SubnetId = 0; @@ -179,7 +181,7 @@ in { # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" - iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept + iifname {"home", "personalvpn", "wg"} oifname {"home", "personalvpn", "wg"} accept ''; services.syncthing = { diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix deleted file mode 100644 index 4f9e0e0..0000000 --- a/nixos/configurations/spt-omniax.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - turris.board = "omnia"; - - cynerd = { - router = { - enable = true; - wan = "end2"; - lanIP = "192.168.2.1"; - }; - wifiAP.spt = { - enable = true; - ar9287.interface = "wlp3s0"; - qca988x.interface = "wlp2s0"; - }; - monitoring.speedtest = true; - }; - - networking.useDHCP = false; - systemd.network = { - networks = { - "end2" = { - matchConfig.Name = "end2"; - networkConfig = { - BindCarrier = "end2"; - DHCP = "yes"; - IPv6AcceptRA = "yes"; - DHCPPrefixDelegation = "yes"; - }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; - }; - linkConfig.RequiredForOnline = "routable"; - }; - "lan-brlan" = { - matchConfig.Name = "lan*"; - networkConfig.Bridge = "brlan"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - EgressUntagged = 1; - PVID = 1; - }; - } - {bridgeVLANConfig.VLAN = 2;} - ]; - }; - }; - }; -} diff --git a/nixos/modules/desktop.nix b/nixos/modules/desktop.nix index d0cc9d5..b145929 100644 --- a/nixos/modules/desktop.nix +++ b/nixos/modules/desktop.nix @@ -264,6 +264,7 @@ in { }; documentation = { + enable = true; man.enable = true; info.enable = true; }; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 2daead8..e5510c6 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -65,6 +65,7 @@ in { (python3.withPackages (pypkgs: with pypkgs; [ ipython + python-lsp-server pytest pytest-html @@ -151,6 +152,10 @@ in { programs.wireshark.package = pkgs.wireshark; documentation = { + nixos = { + enable = true; + includeAllModules = true; + }; dev.enable = true; doc.enable = true; }; @@ -185,11 +190,5 @@ in { "develop" "libvirtd" ]; - - # Allow using latest git version from registry - nixpkgs.flake = { - setNixPath = false; - setFlakeRegistry = false; - }; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index 5c6e2fe..e4ac094 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -43,7 +43,13 @@ in { services.fwupd.enable = mkDefault (pkgs.system == "x86_64-linux"); systemd.oomd.enable = false; - nixpkgs.config.allowUnfree = true; + nixpkgs = { + config.allowUnfree = true; + flake = { + setNixPath = false; + setFlakeRegistry = false; + }; + }; environment.systemPackages = with pkgs; [ git # We need git for this repository to even work @@ -201,5 +207,11 @@ in { ''; programs.fuse.userAllowOther = true; + + documentation = { + enable = mkDefault false; + doc.enable = mkDefault false; + nixos.enable = mkDefault false; + }; }; } diff --git a/nixos/modules/home-assistant.nix b/nixos/modules/home-assistant.nix index 267f725..769b1c7 100644 --- a/nixos/modules/home-assistant.nix +++ b/nixos/modules/home-assistant.nix @@ -5,13 +5,12 @@ ... }: let inherit (lib) mkIf mkEnableOption; - cnf = config.cynerd.home-assistant; in { options = { cynerd.home-assistant = mkEnableOption "Enable Home Assistant and Bigclown"; }; - config = mkIf cnf { + config = mkIf config.cynerd.home-assistant { services.mosquitto = { enable = true; listeners = [ @@ -52,16 +51,13 @@ in { 1883 # Mosquitto ]; - services.bigclown = { - gateway = { - enable = true; - device = "/dev/ttyUSB0"; - environmentFile = "/run/secrets/bigclown.env"; - baseTopicPrefix = "bigclown/"; - mqtt = { - username = "bigclown"; - password = "@PASS_MQTT@"; - }; + services.bcg = { + enable = true; + device = "/dev/ttyUSB0"; + baseTopicPrefix = "bigclown/"; + mqtt = { + username = "bigclown"; + keyfile = "/run/secrets/mqtt-bigclown.pass"; }; }; diff --git a/nixos/modules/hosts.nix b/nixos/modules/hosts.nix index b9a40a6..054098d 100644 --- a/nixos/modules/hosts.nix +++ b/nixos/modules/hosts.nix @@ -9,6 +9,7 @@ staticZoneOption = mkOption { type = types.attrsOf types.str; readOnly = true; + description = "The mapping of zone hosts to their IP"; }; in { options = { @@ -29,7 +30,6 @@ in { cynerd.hosts = { vpn = { "lipwig" = "10.8.0.1"; - "dean" = "10.8.0.4"; # Portable "binky" = "10.8.0.2"; "albert" = "10.8.0.3"; @@ -81,7 +81,6 @@ in { "${cnf.vpn.lipwig}" = ["lipwig.vpn"]; "${cnf.vpn.android}" = ["android.vpn"]; "${cnf.vpn.albert}" = ["albert.vpn"]; - "${cnf.vpn.dean}" = ["dean" "dean.vpn"]; "${cnf.vpn.binky}" = ["binky.vpn"]; "${cnf.vpn.spt-omnia}" = ["spt.vpn"]; "${cnf.vpn.adm-omnia}" = ["adm.vpn"]; @@ -91,7 +90,7 @@ in { "${cnf.wg.android}" = ["android.wg"]; "${cnf.wg.spt-omnia}" = ["spt.wg"]; "${cnf.wg.adm-omnia}" = ["adm.wg"]; - "${cnf.wg.dean}" = ["dean.wg"]; + "${cnf.wg.dean}" = ["dean" "dean.wg"]; # Spt "${cnf.spt.omnia}" = ["omnia.spt"]; "${cnf.spt.mox}" = ["mox.spt"]; diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index ed634b1..3002d9b 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -54,10 +54,9 @@ in { firewall = { logRefusedConnections = false; interfaces = { - "home" = {allowedUDPPorts = [67 68];}; - "guest" = {allowedUDPPorts = [67 68];}; + "home" = {allowedUDPPorts = [53 67 68];}; + "guest" = {allowedUDPPorts = [53 67 68];}; }; - rejectPackets = true; filterForward = true; }; nat = { @@ -119,7 +118,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "${cnf.lanIP}"; }; dhcpServerStaticLeases = mapAttrsToList (n: v: { @@ -150,7 +149,7 @@ in { PoolOffset = cnf.dynIPStart; PoolSize = cnf.dynIPCount; EmitDNS = "yes"; - DNS = "1.1.1.1"; + DNS = "192.168.1.1"; }; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; @@ -166,6 +165,10 @@ in { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; + extraConfig = '' + DNSStubListenerExtra=${cnf.lanIP} + DNSStubListenerExtra=192.168.1.1 + ''; }; }; } diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index 67bd8d5..d96fc9e 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -1,18 +1,100 @@ { config, lib, + pkgs, ... }: let - inherit (lib) mkEnableOption mkIf; - cnf = config.cynerd.wireguard; + inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = { + "lipwig" = "cynerd.cz"; + "spt-omnia" = "spt.cynerd.cz"; + "adm-omnia" = "adm.cynerd.cz"; + }; + is_endpoint = endpoints ? "${hostName}"; in { options = { - cynerd.wireguard = { - enable = mkEnableOption "Enable Wireguard"; - }; + cynerd.wireguard = mkEnableOption "Enable Wireguard"; }; - config = - mkIf cnf.enable { + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.lipwig}:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.spt-omnia}:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + #{ + # wireguardPeerConfig = + # { + # Endpoint = "${endpoints.adm-omnia}:51820"; + # AllowedIPs = [ + # "${config.cynerd.hosts.wg.adm-omnia}/32" + # "10.8.3.0/24" + # ]; + # PublicKey = config.secrets.wireguardPubs.adm-omnia; + # } + # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + #} + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + wireguardPeerConfig = { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }; + }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPForward = is_endpoint; + }; + routes = + (optional (hostName != "spt-omnia") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + }; + }) + ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + }; + }); + }; }; + networking.firewall.allowedUDPPorts = [51820]; + }; } -- cgit v1.2.3