nixos/hosts/sigma/network.nix

170 lines
5.3 KiB
Nix
Raw Normal View History

2024-03-28 16:35:03 +01:00
{
config,
2024-03-29 20:38:51 +01:00
lib,
2024-03-28 16:35:03 +01:00
secrets,
...
}: {
2024-03-29 20:38:51 +01:00
# systemd.services.qbittorrent = {
# description = "qBittorrent service";
# documentation = ["man:qbittorrent-nox(1)"];
# wantedBy = ["multi-user.target"];
# wants = ["multi-user.target"];
# after = ["network-online.target" "nss-lookup.target"];
# serviceConfig = {
# Type = "exec";
# User = "flatpak";
# Group = "users";
# ExecStart = pkgs.writers.writeBash "asd" ''
# while true; do ${pkgs.curl}/bin/curl --connect-timeout 1 ip.caspervk.net; echo; sleep 1; done
# '';
# RestrictNetworkInterfaces = "wg-sigma-p2p";
# };
# };
2024-02-24 19:36:29 +01:00
systemd.network = {
config = {
routeTables = {
2024-03-29 20:36:24 +01:00
"wg-sigma-public" = 42;
"wg-sigma-p2p" = 6881;
2024-02-24 19:36:29 +01:00
};
};
2024-02-28 00:49:48 +01:00
2024-02-24 19:36:29 +01:00
# The following establishes a wireguard tunnel to alpha and configures
# receiving traffic destined for 49.13.33.75. This allows us to have a
# public address even though we are behind NAT.
netdevs."50-wg-sigma-public" = {
netdevConfig = {
Name = "wg-sigma-public";
Kind = "wireguard";
};
wireguardConfig = {
2024-03-29 20:38:51 +01:00
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
2024-02-24 19:36:29 +01:00
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51820";
# Keep NAT mappings and stateful firewalls open at the ISP
PersistentKeepalive = 25;
# AllowedIPs is both an ACL for incoming traffic, as well as a
# routing table specifying to which peer outgoing traffic should be
# sent. We want to allow incoming traffic from any address on the
# internet (routed through alpha), but only replies to this should
# be routed back over wireguard. Unlike if we had used NAT, IP
# routes are stateless, so we have no notion of "replies". Instead,
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# public IP.
2024-03-05 22:57:41 +01:00
AllowedIPs = ["0.0.0.0/0"];
2024-02-24 19:36:29 +01:00
RouteTable = "wg-sigma-public";
};
}
];
};
networks."wg-sigma-public" = {
name = "wg-sigma-public";
2024-03-05 22:57:41 +01:00
address = ["49.13.33.75/32"];
2024-02-24 19:36:29 +01:00
routingPolicyRules = [
{
2024-03-29 20:38:51 +01:00
# See the AllowedIPs comment above for why this is necessary
2024-02-24 19:36:29 +01:00
routingPolicyRuleConfig = {
From = "49.13.33.75/32";
Table = "wg-sigma-public";
};
}
];
};
2024-02-28 00:49:48 +01:00
# The following establishes a wireguard tunnel to alpha and configures
2024-03-29 20:36:24 +01:00
# receiving traffic destined for the sigma-p2p address. This allows the
# server to have a public address and help others sail the high seas even
# though it is behind NAT.
2024-02-28 00:49:48 +01:00
netdevs."51-wg-sigma-p2p" = {
netdevConfig = {
Name = "wg-sigma-p2p";
Kind = "wireguard";
};
wireguardConfig = {
2024-03-29 20:38:51 +01:00
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
2024-02-28 00:49:48 +01:00
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51821";
PersistentKeepalive = 25;
2024-03-05 22:57:41 +01:00
AllowedIPs = ["0.0.0.0/0"];
2024-02-28 00:49:48 +01:00
RouteTable = "wg-sigma-p2p";
};
}
];
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
2024-03-29 20:36:24 +01:00
address = ["${secrets.sigma.sigma-p2p-ip-address}/32"];
2024-02-28 00:49:48 +01:00
routingPolicyRules = [
{
routingPolicyRuleConfig = {
2024-03-29 20:36:24 +01:00
From = "${secrets.sigma.sigma-p2p-ip-address}/32";
2024-02-28 00:49:48 +01:00
Table = "wg-sigma-p2p";
};
}
2024-03-29 20:38:51 +01:00
{
# The deluge systemd service has
# RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
# to use the correct routing table.
routingPolicyRuleConfig = {
User = config.services.deluge.user;
Table = "wg-sigma-p2p";
};
}
2024-02-28 00:49:48 +01:00
];
};
};
2024-03-29 20:38:51 +01:00
# Force explicit firewall configuration to ensure we allow the right services
# on the right interfaces.
networking.firewall = {
allowedTCPPorts = lib.mkForce [];
allowedUDPPorts = lib.mkForce [];
allowedTCPPortRanges = lib.mkForce [];
allowedUDPPortRanges = lib.mkForce [];
interfaces = {
"enp5s0" = {
2024-04-16 01:49:39 +02:00
allowedTCPPorts = [
22 # SSH
];
2024-03-29 20:38:51 +01:00
};
"wg-sigma-public" = {
2024-04-16 01:49:39 +02:00
allowedTCPPorts = [
22 # SSH
80 # Caddy
443 # Caddy
];
2024-03-29 20:38:51 +01:00
};
"wg-sigma-p2p" = {
2024-04-16 01:49:39 +02:00
allowedTCPPorts = [
1337 # random testing (TODO)
];
2024-03-29 20:38:51 +01:00
};
};
};
2024-02-24 19:36:29 +01:00
age.secrets.wireguard-preshared-key-file = {
2024-03-28 16:35:03 +01:00
file = "${secrets}/secrets/wireguard-preshared-key-file.age";
2024-02-24 19:36:29 +01:00
mode = "640";
owner = "root";
group = "systemd-network";
};
2024-03-29 20:38:51 +01:00
age.secrets.wireguard-private-key-file-sigma = {
file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
2024-02-24 19:36:29 +01:00
mode = "640";
owner = "root";
group = "systemd-network";
};
}