wip: add specus VPN

flake.nix

@@ -49,6 +49,7 @@
         passport = import modules/passport.nix;
         panoptikon = import modules/panoptikon.nix;
         power-action = import modules/power-action.nix;
+        specus = import modules/specus.nix;
         system-dependent = import modules/system-dependent.nix;
         telegram-bot = import modules/telegram-bot.nix;
         traadfri = import modules/traadfri.nix;
@@ -79,6 +80,7 @@
             systems/ful/configuration.nix
             agenix.nixosModules.default
             inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
             inputs.self.nixosModules.panoptikon
             retiolum.nixosModules.retiolum
             nur.nixosModules.nur
@@ -127,6 +129,7 @@
             inputs.self.nixosModules.telegram-bot
             inputs.self.nixosModules.htgen
             inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
             agenix.nixosModules.default
             retiolum.nixosModules.retiolum
             nur.nixosModules.nur
@@ -190,6 +193,7 @@
             systems/kabsa/configuration.nix
             agenix.nixosModules.default
             retiolum.nixosModules.retiolum
+            inputs.self.nixosModules.specus
             home-manager.nixosModules.home-manager
             nur.nixosModules.nur
           ];

modules/specus.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  specusMachines = {
+    servers = {
+      makanek = {
+        ipv4 = "10.100.0.1";
+        publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
+      };
+      ful = {
+        ipv4 = "10.100.0.2";
+        publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
+      };
+    };
+    clients = {
+      kabsa = {
+        ipv4 = "10.100.0.101";
+        publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
+      };
+    };
+  };
+in {
+  options.services.specus = {
+    server = {
+      enable = lib.mkEnableOption "Specus private VPN (server)";
+    };
+    client = {
+      enable = lib.mkEnableOption "Specus private VPN (client)";
+    };
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Private key file of the server/client machine";
+    };
+  };
+
+  config = let
+    cfg = config.services.specus;
+    specusPort = 22;
+  in
+    {
+      assertions = [
+        {
+          assertion =
+            !(cfg.server.enable && cfg.client.enable);
+          message = "specus: systems cannot be client and server at the same time";
+        }
+      ];
+    }
+    // lib.mkIf cfg.server.enable {
+      networking.nat = {
+        enable = true;
+        externalInterface = "eth0"; # TODO
+        internalInterfaces = ["specus"];
+      };
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces.specus = {
+        ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        listenPort = specusPort;
+        privateKeyFile = cfg.privateKeyFile;
+        peers =
+          lib.mapAttrsToList (clientName: clientConfig: {
+            publicKey = clientConfig.publicKey;
+            allowedIPs = ["${clientConfig.ipv4}/32"];
+          })
+          specusMachines.clients;
+      };
+    }
+    // lib.mkIf cfg.client.enable {
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
+        lib.nameValuePair "specus-${serverName}" {
+          ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
+          listenPort = specusPort;
+          privateKeyFile = cfg.privateKeyFile;
+          peers = [
+            {
+              allowedIPs = ["0.0.0.0/0"];
+              endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
+              persistentKeepalive = 25;
+              publicKey = serverConfig.publicKey;
+            }
+          ];
+        })
+      specusMachines.servers;
+    };
+}

systems/ful/configuration.nix

@@ -49,6 +49,12 @@ in {
     };
     root.file = ../../secrets/ful-root.age;
     restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/ful-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
   };
 
   services.restic.backups.niveum = {

systems/kabsa/configuration.nix

@@ -40,10 +40,16 @@ in {
     restic.file = ../../secrets/restic.age;
     syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
     syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
+    specus.file = ../../secrets/kabsa-specus-privateKey.age;
   };
 
   environment.systemPackages = [pkgs.minecraft pkgs.zeroad];
 
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    client.enable = false;
+  };
+
   networking = {
     hostName = "kabsa";
     wireless.interfaces = ["wlp3s0"];

systems/makanek/configuration.nix

@@ -95,6 +95,12 @@ in {
       group = "tinc.retiolum";
     };
     restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/makanek-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
   };
 
   system.stateVersion = "20.03";