diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 761703c..5f7be6e 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -4,7 +4,7 @@ ./amd-new-pstate.nix ./hardware-configuration.nix # ./irc.nix - ./stateful-network.nix + ./network ./secrets.nix ./secure-boot.nix ./zfs.nix diff --git a/hosts/toaster/network-vpns.nix b/hosts/toaster/network-vpns.nix deleted file mode 100644 index 888d8bb..0000000 --- a/hosts/toaster/network-vpns.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, ... }: { - - systemd.network = { - # Wireguard - # Dump-dvb - netdevs."30-wg-dumpdvb" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-dumpdvb"; - Description = "dvb.solutions enterprise network"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/dvb".path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; - Endpoint = "academicstrokes.com:51820"; - AllowedIPs = [ "10.13.37.0/24" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."30-wg-dumpdvb" = { - matchConfig.Name = "wg-dumpdvb"; - networkConfig = { - Address = "10.13.37.3/24"; - IPv6AcceptRA = true; - }; - routes = [ - { routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; } - ]; - }; - - # oxalab - netdevs."10-wg-oxalab" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-oxalab"; - Description = "lab of oxa"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/oxalab".path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E="; - Endpoint = "95.216.166.21:51820"; - AllowedIPs = [ "10.66.66.0/24" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."10-wg-oxalab" = { - matchConfig.Name = "wg-oxalab"; - networkConfig = { - Address = "10.66.66.10/24"; - IPv6AcceptRA = true; - }; - routes = [ - { routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; } - ]; - }; - - - # zentralwerk - netdevs."10-wg-zentralwerk" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-zentralwerk"; - Description = "Tunnel to the best basement in Dresden"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/zw".path; - RouteTable = "off"; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; - Endpoint = "81.201.149.152:1337"; - AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ]; - PersistentKeepalive = 25; - }; - } - ]; - }; - networks."10-wg-zentralwerk" = { - matchConfig.Name = "wg-zentralwerk"; - networkConfig = { - Address = "172.20.76.226/21"; - IPv6AcceptRA = true; - DNS = "172.20.73.8"; - Domains = [ - "~hq.c3d2.de" - "~serv.zentralwerk.org" - "~hq.zentralwerk.org" - "~cluster.zentralwerk.org" - ]; - }; - routes = [ - { - routeConfig = { - Gateway = "172.20.76.225"; - Destination = "172.20.72.0/21"; - Metric = 1023; - }; - } - { - routeConfig = { - Gateway = "172.20.76.225"; - Destination = "172.20.90.0/24"; - Metric = 1023; - }; - } - { - routeConfig = { - Gateway = "172.20.76.225"; - Destination = "172.22.99.0/24"; - Metric = 1023; - }; - } - - ]; - }; - - # VPN - netdevs."10-wg-mullvad" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-mullvad"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wg/mullvad".path; - FirewallMark = 34952; # 0x8888 - RouteTable = "off"; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; - Endpoint = "169.150.196.15:51820"; - AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; - }; - } - ]; - }; - networks."10-wg-mullvad" = { - matchConfig.Name = "wg-mullvad"; - address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ]; - networkConfig = { - DNS = "10.64.0.1"; - DNSDefaultRoute = true; - Domains = [ "~." ]; - }; - routes = map - (gate: { - routeConfig = { - Gateway = gate; - Table = 1000; - }; - }) [ - "0.0.0.0" - "::" - ]; - - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - Family = "both"; - FirewallMark = 34952; # 0x8888 - InvertRule = true; - Table = "1000"; - Priority = 100; - }; - } - { - routingPolicyRuleConfig = { - Family = "both"; - SuppressPrefixLength = 0; - Table = "main"; - Priority = 90; - }; - } - ] ++ map - (net: { - # only route global addresses over VPN - routingPolicyRuleConfig = { - Priority = 80; - To = net; - }; - }) [ - # Mullvad endpoint - "169.150.196.15/32" - # "10.0.0.0/8" - "10.13.37.0/24" - "10.66.66.0/24" - # "172.16.0.0/12" - "172.16.0.0/12" - # "182.168.0.0/16" - "182.168.0.0/16" - # "fc00::/7" - ]; - }; - }; -} diff --git a/hosts/toaster/network.nix b/hosts/toaster/network.nix deleted file mode 100644 index 26def6b..0000000 --- a/hosts/toaster/network.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ iwgtk ]; - - networking = { - hostName = "toaster"; - firewall.enable = true; - networkmanager.enable = false; - useNetworkd = true; - wireguard.enable = true; - wireless.iwd.enable = true; - }; - - services.resolved = { - enable = true; - dnssec = "allow-downgrade"; - fallbackDns = [ - "9.9.9.9" - "2620:fe::fe" - "149.112.112.112" - "2620:fe::9" - ]; - }; - - # workaround for networkd waiting for shit - systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ - "" # clear old command - "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" - ]; - - systemd.network = { - enable = true; - - networks."10-ether" = { - matchConfig.MACAddress = "e8:80:88:2f:c6:70"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - }; - networks."10-dock" = { - matchConfig.Name = "enp5s0f4u1u1"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - dhcpV4Config = { RouteMetric = 666; }; - }; - networks."10-wlan" = { - # matchConfig.MACAddress = "04:7b:cb:2a:aa:8c"; - matchConfig.Name = "wlan0"; - networkConfig = { - DHCP = "yes"; - IPv6AcceptRA = true; - }; - }; - }; -} diff --git a/hosts/toaster/network/default.nix b/hosts/toaster/network/default.nix new file mode 100644 index 0000000..2bb5b39 --- /dev/null +++ b/hosts/toaster/network/default.nix @@ -0,0 +1,39 @@ +{ lib, config, ... }: { + imports = [ + ./mullvad.nix + ./dumpdvb.nix + ./zw.nix + ]; + + # Networkmanager shouldn't interfere with systemd managed interfaces + networking.networkmanager.unmanaged = + let + systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs); + in + systemd_netdevs; + + systemd.network ={ + enable = true; + wait-online.enable = false; # uplink is managed by networkmanager + }; + + users.users."0xa".extraGroups = [ "networkmanager" ]; + + networking = { + hostName = "toaster"; + firewall.enable = true; + wireguard.enable = true; + }; + + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + fallbackDns = [ + "9.9.9.9" + "2620:fe::fe" + "149.112.112.112" + "2620:fe::9" + ]; + }; + + } diff --git a/hosts/toaster/network/dumpdvb.nix b/hosts/toaster/network/dumpdvb.nix new file mode 100644 index 0000000..84074bd --- /dev/null +++ b/hosts/toaster/network/dumpdvb.nix @@ -0,0 +1,34 @@ +{ config, ... }: { + systemd.network = { + # Wireguard + # Dump-dvb + netdevs."30-wg-dumpdvb" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-dumpdvb"; + Description = "dvb.solutions enterprise network"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/dvb".path; + }; + wireguardPeers = [ + { + PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; + Endpoint = "academicstrokes.com:51820"; + AllowedIPs = [ "10.13.37.0/24" ]; + PersistentKeepalive = 25; + } + ]; + }; + networks."30-wg-dumpdvb" = { + matchConfig.Name = "wg-dumpdvb"; + networkConfig = { + Address = "10.13.37.3/24"; + IPv6AcceptRA = true; + }; + routes = [ + { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; } + ]; + }; + }; +} diff --git a/hosts/toaster/network/mullvad.nix b/hosts/toaster/network/mullvad.nix new file mode 100644 index 0000000..4b05c95 --- /dev/null +++ b/hosts/toaster/network/mullvad.nix @@ -0,0 +1,74 @@ +{ config, lib, ... }: { + systemd.network = + let + pubkey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0="; + endpoint = "92.60.40.209:51820"; + addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ]; + in + { + netdevs."10-wg-mullvad" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-mullvad"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/mullvad".path; + FirewallMark = 34952; # 0x8888 + RouteTable = "off"; + }; + wireguardPeers = [ + { + PublicKey = pubkey; + Endpoint = endpoint; + AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; + } + ]; + }; + networks."10-wg-mullvad" = { + matchConfig.Name = "wg-mullvad"; + address = addr; + networkConfig = { + DNS = "10.64.0.1"; + DNSDefaultRoute = true; + Domains = [ "~." ]; + }; + routes = map + (gate: { + Gateway = gate; + Table = 1000; + }) [ + "0.0.0.0" + "::" + ]; + + routingPolicyRules = [ { + Family = "both"; + FirewallMark = 34952; # 0x8888 + InvertRule = true; + Table = "1000"; + Priority = 100; + } + { + Family = "both"; + SuppressPrefixLength = 0; + Table = "main"; + Priority = 90; + } ] ++ map (net: { + # only route global addresses over VPN + Priority = 80; + To = net; + }) [ + # Mullvad endpoint + "92.60.40.209/32" + # "10.0.0.0/8" + "10.13.37.0/24" + "10.66.66.0/24" + # "172.16.0.0/12" + "172.16.0.0/12" + # "182.168.0.0/16" + "182.168.0.0/16" + # "fc00::/7" + ]; + }; + }; +} diff --git a/hosts/toaster/network/oxalab.nix b/hosts/toaster/network/oxalab.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/toaster/network/zw.nix b/hosts/toaster/network/zw.nix new file mode 100644 index 0000000..af961be --- /dev/null +++ b/hosts/toaster/network/zw.nix @@ -0,0 +1,56 @@ +{ config, ... }: { + # zentralwerk + systemd.network = { + netdevs."10-wg-zentralwerk" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-zentralwerk"; + Description = "Tunnel to the best basement in Dresden"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/zw".path; + RouteTable = "off"; + }; + wireguardPeers = [ + { + PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; + Endpoint = "81.201.149.152:1337"; + AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ]; + PersistentKeepalive = 25; + } + ]; + }; + networks."10-wg-zentralwerk" = { + matchConfig.Name = "wg-zentralwerk"; + networkConfig = { + Address = "172.20.76.226/21"; + IPv6AcceptRA = true; + DNS = "172.20.73.8"; + Domains = [ + "~hq.c3d2.de" + "~serv.zentralwerk.org" + "~hq.zentralwerk.org" + "~cluster.zentralwerk.org" + ]; + }; + routes = [ + { + Gateway = "172.20.76.225"; + Destination = "172.20.72.0/21"; + Metric = 1023; + } + { + Gateway = "172.20.76.225"; + Destination = "172.20.90.0/24"; + Metric = 1023; + } + { + Gateway = "172.20.76.225"; + Destination = "172.22.99.0/24"; + Metric = 1023; + } + + ]; + }; + }; + } diff --git a/hosts/toaster/stateful-network.nix b/hosts/toaster/stateful-network.nix deleted file mode 100644 index d65022d..0000000 --- a/hosts/toaster/stateful-network.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: { - users.users."0xa".extraGroups = [ "networkmanager" ]; - - networking = { - hostName = "toaster"; - firewall.enable = true; - wireguard.enable = true; - }; - - services.resolved = { - enable = true; - dnssec = "allow-downgrade"; - fallbackDns = [ - "9.9.9.9" - "2620:fe::fe" - "149.112.112.112" - "2620:fe::9" - ]; - }; - -} diff --git a/secrets/toaster/secrets.yaml b/secrets/toaster/secrets.yaml index eaa6f58..01670ae 100644 --- a/secrets/toaster/secrets.yaml +++ b/secrets/toaster/secrets.yaml @@ -1,5 +1,5 @@ wg: - mullvad: ENC[AES256_GCM,data:9wgZKgcVGBIkNrfeurwDOCWLE6t2z7bN5KaUAeiRAcGRKO5uAkVCp0kpWZc=,iv:c1XM8GXEeAuDM47pTA5Pa6lPCI0fwau1uZdSaDcBykI=,tag:pSjmhHw7mt7hGTLpXFPsHQ==,type:str] + mullvad: ENC[AES256_GCM,data:P9acMXooRll8i81RIBVb0OxFdzx2WsGgVKqX+BoV7cvPGWJK5FRIF8KAcqg=,iv:kq+3guPx2+reDqmfHuhWEvUsKNynG+t7LYRNp5kFLoQ=,tag:Aj0P7IrrTdRK59aBMjPx5Q==,type:str] zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str] oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str] dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str] @@ -23,8 +23,8 @@ sops: bDRBWjJJSDl3bDkxenR1S2NMZW91dW8Kzhc/6HeEJfLGDaKdRSbpaMdR7XaBxdQI jnAySJCGsXxCPebRtCIdDnoLjdqdzEggEhRh27JOpeOiEukLmakPMA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-02T22:58:36Z" - mac: ENC[AES256_GCM,data:P0+aneAIlNDNJBR6nOHTyosrxgXnY9qJ/MSsaFo1Op4jwNMXjPkzM3ZkgigHLsxKQi+HwOxEclnPEPGOKN0pB8bYLgBixiJf/hH9sATD1qirxgkVNcFe0zeXZ27ilxs3yf9A7fqHidmk4fEvAuZR+cS5tvSIzh8z9WghIM3VPIc=,iv:4c59ldPq+lMCIt7/3Cpl9Ou+NQdozka26/e7BcwozdY=,tag:ARDNS16m5M8IgDeMJ6/rDQ==,type:str] + lastmodified: "2025-01-03T16:03:33Z" + mac: ENC[AES256_GCM,data:+Dxu5qh09OJ9KDnzl4IkX4ZjB0wkn6o2tzV+OsvKwOH1p51ezWxf7LIpjLumk9tbNm+0gRD/ZPlufxIA+jHydWxBty/JvnjZjYaaaBh2LeUpqM24PnRn9jReSVki5yRGoonXxZ7OjUpgX26wKSff7iQh2DjMVGdL6E4OhBJL6iM=,iv:kUDVXycpcyfiPgMe9u1KCrxIvUEEtIZr/z6h5rdCY4c=,tag:xTsdPaxtlIVUrHjcU2uerg==,type:str] pgp: - created_at: "2025-01-02T22:57:16Z" enc: |-