diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2024-12-30 16:29:51 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2025-03-14 01:00:46 +0100 |
| commit | 710a9a6617422335bb84c5314394977310c073ef (patch) | |
| tree | cafd0ca0737b979d2abc542887327be4af2df433 /flakes/private | |
| parent | 16f579fb4ef33fc22d7292cccc172bdcdea7e458 (diff) | |
| download | Nix-710a9a6617422335bb84c5314394977310c073ef.tar.gz Nix-710a9a6617422335bb84c5314394977310c073ef.tar.zst Nix-710a9a6617422335bb84c5314394977310c073ef.zip | |
Add wireguard vpn config
Diffstat (limited to 'flakes/private')
| -rw-r--r-- | flakes/private/borg_backup/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/chatons/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/environment/flake.nix | 13 | ||||
| -rw-r--r-- | flakes/private/mail-relay/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/milters/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/monitoring/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/opendmarc/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/ssh/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/system/flake.lock | 2 | ||||
| -rw-r--r-- | flakes/private/system/flake.nix | 26 |
10 files changed, 45 insertions, 10 deletions
diff --git a/flakes/private/borg_backup/flake.lock b/flakes/private/borg_backup/flake.lock index 965a940..86ea364 100644 --- a/flakes/private/borg_backup/flake.lock +++ b/flakes/private/borg_backup/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/chatons/flake.lock b/flakes/private/chatons/flake.lock index ca16714..14bc263 100644 --- a/flakes/private/chatons/flake.lock +++ b/flakes/private/chatons/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/environment/flake.nix b/flakes/private/environment/flake.nix index c389105..9df316d 100644 --- a/flakes/private/environment/flake.nix +++ b/flakes/private/environment/flake.nix | |||
| @@ -165,6 +165,19 @@ | |||
| 165 | }; | 165 | }; |
| 166 | }; | 166 | }; |
| 167 | }; | 167 | }; |
| 168 | wireguard = mkOption { | ||
| 169 | description = "Wireguard key"; | ||
| 170 | default = { enable = false; }; | ||
| 171 | type = submodule { | ||
| 172 | options = { | ||
| 173 | enable = mkEnableOption "Enable wireguard"; | ||
| 174 | private = mkOption { type = str; description = "Private key"; }; | ||
| 175 | public = mkOption { type = str; description = "Public key"; }; | ||
| 176 | port = mkOption { type = port; description = "Port"; }; | ||
| 177 | ip = mkOption { type = str; description = "IP"; }; | ||
| 178 | }; | ||
| 179 | }; | ||
| 180 | }; | ||
| 168 | ips = mkOption { | 181 | ips = mkOption { |
| 169 | description = '' | 182 | description = '' |
| 170 | attrs of ip4/ip6 grouped by section | 183 | attrs of ip4/ip6 grouped by section |
diff --git a/flakes/private/mail-relay/flake.lock b/flakes/private/mail-relay/flake.lock index 965a940..86ea364 100644 --- a/flakes/private/mail-relay/flake.lock +++ b/flakes/private/mail-relay/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/milters/flake.lock b/flakes/private/milters/flake.lock index 77427f4..673c36e 100644 --- a/flakes/private/milters/flake.lock +++ b/flakes/private/milters/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/monitoring/flake.lock b/flakes/private/monitoring/flake.lock index eeff363..7f03e17 100644 --- a/flakes/private/monitoring/flake.lock +++ b/flakes/private/monitoring/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index 6947cd3..e212274 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/ssh/flake.lock b/flakes/private/ssh/flake.lock index 965a940..86ea364 100644 --- a/flakes/private/ssh/flake.lock +++ b/flakes/private/ssh/flake.lock | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | "environment": { | 3 | "environment": { |
| 4 | "locked": { | 4 | "locked": { |
| 5 | "lastModified": 1, | 5 | "lastModified": 1, |
| 6 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 6 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 7 | "path": "../environment", | 7 | "path": "../environment", |
| 8 | "type": "path" | 8 | "type": "path" |
| 9 | }, | 9 | }, |
diff --git a/flakes/private/system/flake.lock b/flakes/private/system/flake.lock index 60c2dfc..cc104c6 100644 --- a/flakes/private/system/flake.lock +++ b/flakes/private/system/flake.lock | |||
| @@ -19,7 +19,7 @@ | |||
| 19 | "environment": { | 19 | "environment": { |
| 20 | "locked": { | 20 | "locked": { |
| 21 | "lastModified": 1, | 21 | "lastModified": 1, |
| 22 | "narHash": "sha256-PQ5694ARRlpj00lk/C/T0UPGhPO+n0TEcLR1mde0s8M=", | 22 | "narHash": "sha256-TsRuohxw/zmZy1PV2kyraE9VbLULWOyad2jir8O9UbQ=", |
| 23 | "path": "../environment", | 23 | "path": "../environment", |
| 24 | "type": "path" | 24 | "type": "path" |
| 25 | }, | 25 | }, |
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix index 9010140..775dfcb 100644 --- a/flakes/private/system/flake.nix +++ b/flakes/private/system/flake.nix | |||
| @@ -23,8 +23,30 @@ | |||
| 23 | permissions = "0400"; | 23 | permissions = "0400"; |
| 24 | }; | 24 | }; |
| 25 | 25 | ||
| 26 | networking.extraHosts = builtins.concatStringsSep "\n" | 26 | networking.extraHosts = lib.mkMerge [ |
| 27 | (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); | 27 | (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes)) |
| 28 | (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v.config.hostEnv.wireguard.ip} wg-${n}") (lib.filterAttrs (n: v: v.config.hostEnv.wireguard.enable) nodes))) | ||
| 29 | ]; | ||
| 30 | |||
| 31 | networking.firewall.allowedUDPPorts = lib.mkIf config.hostEnv.wireguard.enable [ config.hostEnv.wireguard.port ]; | ||
| 32 | networking.wg-quick.interfaces.wg0 = lib.mkIf config.hostEnv.wireguard.enable { | ||
| 33 | privateKeyFile = config.secrets.fullPaths."wireguard/private_key"; | ||
| 34 | listenPort = config.hostEnv.wireguard.port; | ||
| 35 | address = [ | ||
| 36 | "${config.hostEnv.wireguard.ip}/24" | ||
| 37 | ]; | ||
| 38 | peers = lib.mapAttrsToList (name: v: { | ||
| 39 | publicKey = v.config.hostEnv.wireguard.public; | ||
| 40 | endpoint = "${name}:${builtins.toString v.config.hostEnv.wireguard.port}"; | ||
| 41 | allowedIPs = [ "${v.config.hostEnv.wireguard.ip}/32" ]; | ||
| 42 | }) (lib.filterAttrs (n: v: v.config.hostEnv.wireguard.enable) nodes); | ||
| 43 | }; | ||
| 44 | secrets.keys."wireguard/private_key" = lib.mkIf config.hostEnv.wireguard.enable { | ||
| 45 | permissions = "0400"; | ||
| 46 | text = config.hostEnv.wireguard.private; | ||
| 47 | user = "root"; | ||
| 48 | group = "root"; | ||
| 49 | }; | ||
| 28 | 50 | ||
| 29 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; | 51 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; |
| 30 | secrets.deleteSecretsVars = true; | 52 | secrets.deleteSecretsVars = true; |