caspervk/nixos
1
0
Fork 0
Code Actions Activity

wg-sigma-public

Browse source
This commit is contained in:
Casper V. Kristensen 2024-02-24 19:36:29 +01:00
parent 4479468c0c
commit 6936031d57
8 changed files with 150 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
hosts/alpha/network.nix
View file

@ -1,6 +1,7 @@
{ ... }: {
systemd.network.networks = {
"10-lan" = {
{ config, ... }: {
systemd.network = {
# Main interface
networks."10-lan" = {
name = "enp1s0";
networkConfig.DHCP = "ipv4";
address = [
@ -10,5 +11,58 @@
{ routeConfig = { Gateway = "fe80::1"; }; }
];
};
# The following routes traffic destined for 49.13.33.75 (floating IP) to
# sigma through wireguard. This allows the server to have a public address
# even though it is behind NAT.
netdevs."50-wg-sigma-public" = {
netdevConfig = {
Name = "wg-sigma-public";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
AllowedIPs = [ "49.13.33.75/32" ];
RouteTable = "main";
};
}
];
};
networks."wg-sigma-public" = {
name = "wg-sigma-public";
};
};
# Enable forwarding of packets
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv4.conf.all.forwarding" = true;
};
networking = {
firewall.allowedUDPPorts = [ 51820 ];
};
age.secrets.wireguard-preshared-key-file = {
file = ../../secrets/wireguard-preshared-key-file.age;
mode = "640";
owner = "root";
group = "systemd-network";
};
age.secrets.wireguard-private-key-file-alpha = {
file = ../../secrets/wireguard-private-key-file-alpha.age;
mode = "640";
owner = "root";
group = "systemd-network";
};
}

1
hosts/omega/default.nix
View file

@ -5,6 +5,7 @@
../../modules/desktop
../../modules/syncthing.nix
./hardware.nix
./network.nix
./sway.nix
];

69
hosts/omega/network.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, ... }: {
systemd.network = {
config = {
routeTables = {
"wg-sigma-public" = 822944075;
};
};
# The following establishes a wireguard tunnel to alpha and configures
# receiving traffic destined for 49.13.33.75. This allows us to have a
# public address even though we are behind NAT.
netdevs."50-wg-sigma-public" = {
netdevConfig = {
Name = "wg-sigma-public";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51820";
# Keep NAT mappings and stateful firewalls open at the ISP
PersistentKeepalive = 25;
# AllowedIPs is both an ACL for incoming traffic, as well as a
# routing table specifying to which peer outgoing traffic should be
# sent. We want to allow incoming traffic from any address on the
# internet (routed through alpha), but only replies to this should
# be routed back over wireguard. Unlike if we had used NAT, IP
# routes are stateless, so we have no notion of "replies". Instead,
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# public IP.
AllowedIPs = [ "0.0.0.0/0" ];
RouteTable = "wg-sigma-public";
};
}
];
};
networks."wg-sigma-public" = {
name = "wg-sigma-public";
address = [ "49.13.33.75/32" ];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "49.13.33.75/32";
Table = "wg-sigma-public";
};
}
];
};
};
age.secrets.wireguard-preshared-key-file = {
file = ../../secrets/wireguard-preshared-key-file.age;
mode = "640";
owner = "root";
group = "systemd-network";
};
age.secrets.wireguard-private-key-file-omega = {
file = ../../secrets/wireguard-private-key-file-omega.age;
mode = "640";
owner = "root";
group = "systemd-network";
};
}

4
hosts/tor/network.nix
View file

@ -1,6 +1,6 @@
{ ... }: {
systemd.network.networks = {
"10-lan" = {
systemd.network = {
networks."10-lan" = {
# IPv4 settings are from `sudo dhcpcd --test`.
# IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
name = "ens3";

8
secrets/secrets.nix
View file

@ -21,4 +21,12 @@ let
in
{
"users-hashed-password-file.age".publicKeys = all;
## Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum
# resistance. Public-keys are generated using `wireguard-vanity-address`.
"wireguard-preshared-key-file.age".publicKeys = [ alpha omega ];
"wireguard-private-key-file-alpha.age".publicKeys = [ alpha ];
"wireguard-private-key-file-omega.age".publicKeys = [ omega ];
}

8
secrets/wireguard-preshared-key-file.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 KjvmEQ u+aOAxwH7BgSou88oBlAFTsLZ+Wmbr5ld99nEeBfoic
TiJ7uXPXDcZ6GZCErXk+VbTSlX0ECDtYg0175DX4+LI
-> ssh-ed25519 fY+XUg KKDaoOcbkTSgsYQ7KEkP507tjoAin2jgoQ7bJDD7lh8
QTkdXdVK5PN36YglJ2nJKTh5S1Fwy3Myd8kURBPZIcY
--- vcBtZKjPxYnScGb2tizt/USndbXTQcOLorikniOUVbA
£ýàº@ÇÒû=)ÄÁð"xj°P
ªëß+7)YÑÉ<>Þú ý~×Íi³½g"ªã­ilEþ¤‡¼U²ÀÃyî{•ÀBa)

5
secrets/wireguard-private-key-file-alpha.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 KjvmEQ kZJmzo+d8caINgH4dku5D7TmLhjhf+2I1Hh+OlQYXUg
z7Q6UzU0aOUFa/0wBj7+B5V7gO1uysViyPIfkwDJjOA
--- FAUgHnoCMJ7A6ipR/ACK6doLZWS6qM9vR61KD4V1N/E
êTæ(<28>ÚvHlK9ºp#1{òKe<4B>°§îƒ_Ÿý ÷; `W„[\ŠÕ̹<C38C><C2B9>·ÛXÈÑšMz¥‘â»üÚ(ΧX:À´3o K<C2A0>Àn

BIN
secrets/wireguard-private-key-file-omega.age Normal file
View file

Binary file not shown.