kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity
Files
2d25c1fc7bbb5b3705f3c1722dec8ff8340686d4
niveum/modules/specus.nix
Kierán Meinhardt 2d25c1fc7b wip: add specus VPN
2023-04-14 08:43:23 +02:00

97 lines
2.9 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}: let
specusMachines = {
servers = {
makanek = {
ipv4 = "10.100.0.1";
publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
};
ful = {
ipv4 = "10.100.0.2";
publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
};
};
clients = {
kabsa = {
ipv4 = "10.100.0.101";
publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
};
};
};
in {
options.services.specus = {
server = {
enable = lib.mkEnableOption "Specus private VPN (server)";
};
client = {
enable = lib.mkEnableOption "Specus private VPN (client)";
};
privateKeyFile = lib.mkOption {
type = lib.types.path;
description = "Private key file of the server/client machine";
};
};
config = let
cfg = config.services.specus;
specusPort = 22;
in
{
assertions = [
{
assertion =
!(cfg.server.enable && cfg.client.enable);
message = "specus: systems cannot be client and server at the same time";
}
];
}
// lib.mkIf cfg.server.enable {
networking.nat = {
enable = true;
externalInterface = "eth0"; # TODO
internalInterfaces = ["specus"];
};
networking.firewall.allowedUDPPorts = [specusPort];
networking.wireguard.interfaces.specus = {
ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
listenPort = specusPort;
privateKeyFile = cfg.privateKeyFile;
peers =
lib.mapAttrsToList (clientName: clientConfig: {
publicKey = clientConfig.publicKey;
allowedIPs = ["${clientConfig.ipv4}/32"];
})
specusMachines.clients;
};
}
// lib.mkIf cfg.client.enable {
networking.firewall.allowedUDPPorts = [specusPort];
networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
lib.nameValuePair "specus-${serverName}" {
ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
listenPort = specusPort;
privateKeyFile = cfg.privateKeyFile;
peers = [
{
allowedIPs = ["0.0.0.0/0"];
endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
persistentKeepalive = 25;
publicKey = serverConfig.publicKey;
}
];
})
specusMachines.servers;
};
}
View Git Blame Copy Permalink