From 2d25c1fc7bbb5b3705f3c1722dec8ff8340686d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Fri, 14 Apr 2023 08:43:23 +0200 Subject: [PATCH] wip: add specus VPN --- flake.nix | 4 ++ modules/specus.nix | 96 +++++++++++++++++++++++++++++++ systems/ful/configuration.nix | 6 ++ systems/kabsa/configuration.nix | 6 ++ systems/makanek/configuration.nix | 6 ++ 5 files changed, 118 insertions(+) create mode 100644 modules/specus.nix diff --git a/flake.nix b/flake.nix index be30c66..aa77b46 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,7 @@ passport = import modules/passport.nix; panoptikon = import modules/panoptikon.nix; power-action = import modules/power-action.nix; + specus = import modules/specus.nix; system-dependent = import modules/system-dependent.nix; telegram-bot = import modules/telegram-bot.nix; traadfri = import modules/traadfri.nix; @@ -79,6 +80,7 @@ systems/ful/configuration.nix agenix.nixosModules.default inputs.self.nixosModules.passport + inputs.self.nixosModules.specus inputs.self.nixosModules.panoptikon retiolum.nixosModules.retiolum nur.nixosModules.nur @@ -127,6 +129,7 @@ inputs.self.nixosModules.telegram-bot inputs.self.nixosModules.htgen inputs.self.nixosModules.passport + inputs.self.nixosModules.specus agenix.nixosModules.default retiolum.nixosModules.retiolum nur.nixosModules.nur @@ -190,6 +193,7 @@ systems/kabsa/configuration.nix agenix.nixosModules.default retiolum.nixosModules.retiolum + inputs.self.nixosModules.specus home-manager.nixosModules.home-manager nur.nixosModules.nur ]; diff --git a/modules/specus.nix b/modules/specus.nix new file mode 100644 index 0000000..8d783e0 --- /dev/null +++ b/modules/specus.nix @@ -0,0 +1,96 @@ +{ + config, + lib, + pkgs, + ... +}: let + specusMachines = { + servers = { + makanek = { + ipv4 = "10.100.0.1"; + publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk="; + }; + ful = { + ipv4 = "10.100.0.2"; + publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk="; + }; + }; + clients = { + kabsa = { + ipv4 = "10.100.0.101"; + publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY="; + }; + }; + }; +in { + options.services.specus = { + server = { + enable = lib.mkEnableOption "Specus private VPN (server)"; + }; + client = { + enable = lib.mkEnableOption "Specus private VPN (client)"; + }; + privateKeyFile = lib.mkOption { + type = lib.types.path; + description = "Private key file of the server/client machine"; + }; + }; + + config = let + cfg = config.services.specus; + specusPort = 22; + in + { + assertions = [ + { + assertion = + !(cfg.server.enable && cfg.client.enable); + message = "specus: systems cannot be client and server at the same time"; + } + ]; + } + // lib.mkIf cfg.server.enable { + networking.nat = { + enable = true; + externalInterface = "eth0"; # TODO + internalInterfaces = ["specus"]; + }; + networking.firewall.allowedUDPPorts = [specusPort]; + networking.wireguard.interfaces.specus = { + ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"]; + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + listenPort = specusPort; + privateKeyFile = cfg.privateKeyFile; + peers = + lib.mapAttrsToList (clientName: clientConfig: { + publicKey = clientConfig.publicKey; + allowedIPs = ["${clientConfig.ipv4}/32"]; + }) + specusMachines.clients; + }; + } + // lib.mkIf cfg.client.enable { + networking.firewall.allowedUDPPorts = [specusPort]; + networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig: + lib.nameValuePair "specus-${serverName}" { + ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"]; + listenPort = specusPort; + privateKeyFile = cfg.privateKeyFile; + peers = [ + { + allowedIPs = ["0.0.0.0/0"]; + endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}"; + persistentKeepalive = 25; + publicKey = serverConfig.publicKey; + } + ]; + }) + specusMachines.servers; + }; +} diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix index 7cf9e17..48723be 100644 --- a/systems/ful/configuration.nix +++ b/systems/ful/configuration.nix @@ -49,6 +49,12 @@ in { }; root.file = ../../secrets/ful-root.age; restic.file = ../../secrets/restic.age; + specus.file = ../../secrets/ful-specus-privateKey.age; + }; + + services.specus = { + privateKeyFile = config.age.secrets.specus.path; + server.enable = true; }; services.restic.backups.niveum = { diff --git a/systems/kabsa/configuration.nix b/systems/kabsa/configuration.nix index dfd582f..e972985 100644 --- a/systems/kabsa/configuration.nix +++ b/systems/kabsa/configuration.nix @@ -40,10 +40,16 @@ in { restic.file = ../../secrets/restic.age; syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age; syncthing-key.file = ../../secrets/kabsa-syncthing-key.age; + specus.file = ../../secrets/kabsa-specus-privateKey.age; }; environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; + services.specus = { + privateKeyFile = config.age.secrets.specus.path; + client.enable = false; + }; + networking = { hostName = "kabsa"; wireless.interfaces = ["wlp3s0"]; diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix index 767d809..9a3f8ca 100644 --- a/systems/makanek/configuration.nix +++ b/systems/makanek/configuration.nix @@ -95,6 +95,12 @@ in { group = "tinc.retiolum"; }; restic.file = ../../secrets/restic.age; + specus.file = ../../secrets/makanek-specus-privateKey.age; + }; + + services.specus = { + privateKeyFile = config.age.secrets.specus.path; + server.enable = true; }; system.stateVersion = "20.03";