wg-sigma-public

hosts/alpha/network.nix

@@ -1,6 +1,7 @@
-{ ... }: {
+{ config, ... }: {
-  systemd.network.networks = {
+  systemd.network = {
-    "10-lan" = {
+    # Main interface
+    networks."10-lan" = {
       name = "enp1s0";
       networkConfig.DHCP = "ipv4";
       address = [
@@ -10,5 +11,58 @@
         { routeConfig = { Gateway = "fe80::1"; }; }
       ];
     };
+
+    # The following routes traffic destined for 49.13.33.75 (floating IP) to
+    # sigma through wireguard. This allows the server to have a public address
+    # even though it is behind NAT.
+    netdevs."50-wg-sigma-public" = {
+      netdevConfig = {
+        Name = "wg-sigma-public";
+        Kind = "wireguard";
+      };
+      wireguardConfig = {
+        ListenPort = 51820;
+        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
+            PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
+            # Add to the main routing table that traffic for the address should
+            # be sent to sigma.
+            AllowedIPs = [ "49.13.33.75/32" ];
+            RouteTable = "main";
+          };
+        }
+      ];
+    };
+    networks."wg-sigma-public" = {
+      name = "wg-sigma-public";
+    };
+  };
+
+  # Enable forwarding of packets
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv4.conf.all.forwarding" = true;
+  };
+
+  networking = {
+    firewall.allowedUDPPorts = [ 51820 ];
+  };
+
+  age.secrets.wireguard-preshared-key-file = {
+    file = ../../secrets/wireguard-preshared-key-file.age;
+    mode = "640";
+    owner = "root";
+    group = "systemd-network";
+  };
+
+  age.secrets.wireguard-private-key-file-alpha = {
+    file = ../../secrets/wireguard-private-key-file-alpha.age;
+    mode = "640";
+    owner = "root";
+    group = "systemd-network";
   };
 }

hosts/omega/default.nix

@@ -5,6 +5,7 @@
     ../../modules/desktop
     ../../modules/syncthing.nix
     ./hardware.nix
+    ./network.nix
     ./sway.nix
   ];
 

hosts/omega/network.nix

@@ -0,0 +1,69 @@
+{ config, ... }: {
+  systemd.network = {
+    config = {
+      routeTables = {
+        "wg-sigma-public" = 822944075;
+      };
+    };
+    # The following establishes a wireguard tunnel to alpha and configures
+    # receiving traffic destined for 49.13.33.75. This allows us to have a
+    # public address even though we are behind NAT.
+    netdevs."50-wg-sigma-public" = {
+      netdevConfig = {
+        Name = "wg-sigma-public";
+        Kind = "wireguard";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
+            PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
+            Endpoint = "alpha.caspervk.net:51820";
+            # Keep NAT mappings and stateful firewalls open at the ISP
+            PersistentKeepalive = 25;
+            # AllowedIPs is both an ACL for incoming traffic, as well as a
+            # routing table specifying to which peer outgoing traffic should be
+            # sent. We want to allow incoming traffic from any address on the
+            # internet (routed through alpha), but only replies to this should
+            # be routed back over wireguard. Unlike if we had used NAT, IP
+            # routes are stateless, so we have no notion of "replies". Instead,
+            # we add these routes to a specific routing table and configure a
+            # routing policy rule to only use it for packets being sent as the
+            # public IP.
+            AllowedIPs = [ "0.0.0.0/0" ];
+            RouteTable = "wg-sigma-public";
+          };
+        }
+      ];
+    };
+    networks."wg-sigma-public" = {
+      name = "wg-sigma-public";
+      address = [ "49.13.33.75/32" ];
+      routingPolicyRules = [
+        {
+          routingPolicyRuleConfig = {
+            From = "49.13.33.75/32";
+            Table = "wg-sigma-public";
+          };
+        }
+      ];
+    };
+  };
+
+  age.secrets.wireguard-preshared-key-file = {
+    file = ../../secrets/wireguard-preshared-key-file.age;
+    mode = "640";
+    owner = "root";
+    group = "systemd-network";
+  };
+
+  age.secrets.wireguard-private-key-file-omega = {
+    file = ../../secrets/wireguard-private-key-file-omega.age;
+    mode = "640";
+    owner = "root";
+    group = "systemd-network";
+  };
+}

hosts/tor/network.nix

@@ -1,6 +1,6 @@
 { ... }: {
-  systemd.network.networks = {
+  systemd.network = {
-    "10-lan" = {
+    networks."10-lan" = {
       # IPv4 settings are from `sudo dhcpcd --test`.
       # IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
       name = "ens3";

secrets/secrets.nix

@@ -21,4 +21,12 @@ let
 in
 {
   "users-hashed-password-file.age".publicKeys = all;
+
+  ## Wireguard
+  # The preshared key adds an additional layer of symmetric-key crypto to be
+  # mixed into the already existing public-key crypto, for post-quantum
+  # resistance. Public-keys are generated using `wireguard-vanity-address`.
+  "wireguard-preshared-key-file.age".publicKeys = [ alpha omega ];
+  "wireguard-private-key-file-alpha.age".publicKeys = [ alpha ];
+  "wireguard-private-key-file-omega.age".publicKeys = [ omega ];
 }

secrets/wireguard-preshared-key-file.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 KjvmEQ u+aOAxwH7BgSou88oBlAFTsLZ+Wmbr5ld99nEeBfoic
+TiJ7uXPXDcZ6GZCErXk+VbTSlX0ECDtYg0175DX4+LI
+-> ssh-ed25519 fY+XUg KKDaoOcbkTSgsYQ7KEkP507tjoAin2jgoQ7bJDD7lh8
+QTkdXdVK5PN36YglJ2nJKTh5S1Fwy3Myd8kURBPZIcY
+--- vcBtZKjPxYnScGb2tizt/USndbXTQcOLorikniOUVbA
+£ýàº@ÇÒû=–)ÄÁð"xj°P
+ªëß+7)YÑÉ
|¾
<>Þú‹ ý~×Íi³½g"ªã­ilEþ¤‡¼U²ÀÃyî{•ÀBa)

secrets/wireguard-private-key-file-alpha.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 KjvmEQ kZJmzo+d8caINgH4dku5D7TmLhjhf+2I1Hh+OlQYXUg
+z7Q6UzU0aOUFa/0wBj7+B5V7gO1uysViyPIfkwDJjOA
+--- FAUgHnoCMJ7A6ipR/ACK6doLZWS6qM9vR61KD4V1N/E
+êTæ(<28>ÚvHlK9‘º›p#1{òKe<4B>°§îƒ_Ÿý ÷; `W„[\ŠÕ̹<C38C><C2B9>·ÛXÈÑšMz¥‘â»üÚ(ΧX:À´3›o K<C2A0>Àn