fixup toaster network

2025-01-03 19:06:42 +01:00 · 2025-01-03 19:06:42 +01:00 · 0457c44807
commit 0457c44807
parent a31fff4a8e
10 changed files with 207 additions and 292 deletions
--- a/hosts/toaster/default.nix
+++ b/hosts/toaster/default.nix
@ -4,7 +4,7 @@
    ./amd-new-pstate.nix
    ./hardware-configuration.nix
    # ./irc.nix
-    ./stateful-network.nix
+    ./network
    ./secrets.nix
    ./secure-boot.nix
    ./zfs.nix
--- a/hosts/toaster/network-vpns.nix
+++ b/hosts/toaster/network-vpns.nix
@ -1,210 +0,0 @@
-{ config, ... }: {
-
-  systemd.network = {
-    # Wireguard
-    # Dump-dvb
-    netdevs."30-wg-dumpdvb" = {
-      netdevConfig = {
-        Kind = "wireguard";
-        Name = "wg-dumpdvb";
-        Description = "dvb.solutions enterprise network";
-      };
-      wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wg/dvb".path;
-      };
-      wireguardPeers = [
-        {
-          wireguardPeerConfig = {
-            PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
-            Endpoint = "academicstrokes.com:51820";
-            AllowedIPs = [ "10.13.37.0/24" ];
-            PersistentKeepalive = 25;
-          };
-        }
-      ];
-    };
-    networks."30-wg-dumpdvb" = {
-      matchConfig.Name = "wg-dumpdvb";
-      networkConfig = {
-        Address = "10.13.37.3/24";
-        IPv6AcceptRA = true;
-      };
-      routes = [
-        { routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
-      ];
-    };
-
-    # oxalab
-    netdevs."10-wg-oxalab" = {
-      netdevConfig = {
-        Kind = "wireguard";
-        Name = "wg-oxalab";
-        Description = "lab of oxa";
-      };
-      wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
-      };
-      wireguardPeers = [
-        {
-          wireguardPeerConfig = {
-            PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
-            Endpoint = "95.216.166.21:51820";
-            AllowedIPs = [ "10.66.66.0/24" ];
-            PersistentKeepalive = 25;
-          };
-        }
-      ];
-    };
-    networks."10-wg-oxalab" = {
-      matchConfig.Name = "wg-oxalab";
-      networkConfig = {
-        Address = "10.66.66.10/24";
-        IPv6AcceptRA = true;
-      };
-      routes = [
-        { routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
-      ];
-    };
-
-
-    # zentralwerk
-    netdevs."10-wg-zentralwerk" = {
-      netdevConfig = {
-        Kind = "wireguard";
-        Name = "wg-zentralwerk";
-        Description = "Tunnel to the best basement in Dresden";
-      };
-      wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wg/zw".path;
-        RouteTable = "off";
-      };
-      wireguardPeers = [
-        {
-          wireguardPeerConfig = {
-            PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
-            Endpoint = "81.201.149.152:1337";
-            AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
-            PersistentKeepalive = 25;
-          };
-        }
-      ];
-    };
-    networks."10-wg-zentralwerk" = {
-      matchConfig.Name = "wg-zentralwerk";
-      networkConfig = {
-        Address = "172.20.76.226/21";
-        IPv6AcceptRA = true;
-        DNS = "172.20.73.8";
-        Domains = [
-          "~hq.c3d2.de"
-          "~serv.zentralwerk.org"
-          "~hq.zentralwerk.org"
-          "~cluster.zentralwerk.org"
-        ];
-      };
-      routes = [
-        {
-          routeConfig = {
-            Gateway = "172.20.76.225";
-            Destination = "172.20.72.0/21";
-            Metric = 1023;
-          };
-        }
-        {
-          routeConfig = {
-            Gateway = "172.20.76.225";
-            Destination = "172.20.90.0/24";
-            Metric = 1023;
-          };
-        }
-        {
-          routeConfig = {
-            Gateway = "172.20.76.225";
-            Destination = "172.22.99.0/24";
-            Metric = 1023;
-          };
-        }
-
-      ];
-    };
-
-    # VPN
-    netdevs."10-wg-mullvad" = {
-      netdevConfig = {
-        Kind = "wireguard";
-        Name = "wg-mullvad";
-      };
-      wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
-        FirewallMark = 34952; # 0x8888
-        RouteTable = "off";
-      };
-      wireguardPeers = [
-        {
-          wireguardPeerConfig = {
-            PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
-            Endpoint = "169.150.196.15:51820";
-            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          };
-        }
-      ];
-    };
-    networks."10-wg-mullvad" = {
-      matchConfig.Name = "wg-mullvad";
-      address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
-      networkConfig = {
-        DNS = "10.64.0.1";
-        DNSDefaultRoute = true;
-        Domains = [ "~." ];
-      };
-      routes = map
-        (gate: {
-          routeConfig = {
-            Gateway = gate;
-            Table = 1000;
-          };
-        }) [
-        "0.0.0.0"
-        "::"
-      ];
-
-      routingPolicyRules = [
-        {
-          routingPolicyRuleConfig = {
-            Family = "both";
-            FirewallMark = 34952; # 0x8888
-            InvertRule = true;
-            Table = "1000";
-            Priority = 100;
-          };
-        }
-        {
-          routingPolicyRuleConfig = {
-            Family = "both";
-            SuppressPrefixLength = 0;
-            Table = "main";
-            Priority = 90;
-          };
-        }
-      ] ++ map
-        (net: {
-          # only route global addresses over VPN
-          routingPolicyRuleConfig = {
-            Priority = 80;
-            To = net;
-          };
-        }) [
-        # Mullvad endpoint
-        "169.150.196.15/32"
-        # "10.0.0.0/8"
-        "10.13.37.0/24"
-        "10.66.66.0/24"
-        # "172.16.0.0/12"
-        "172.16.0.0/12"
-        # "182.168.0.0/16"
-        "182.168.0.0/16"
-        # "fc00::/7"
-      ];
-    };
-  };
-}
--- a/hosts/toaster/network.nix
+++ b/hosts/toaster/network.nix
@ -1,57 +0,0 @@
-{ config, pkgs, ... }: {
-  environment.systemPackages = with pkgs; [ iwgtk ];
-
-  networking = {
-    hostName = "toaster";
-    firewall.enable = true;
-    networkmanager.enable = false;
-    useNetworkd = true;
-    wireguard.enable = true;
-    wireless.iwd.enable = true;
-  };
-
-  services.resolved = {
-    enable = true;
-    dnssec = "allow-downgrade";
-    fallbackDns = [
-      "9.9.9.9"
-      "2620:fe::fe"
-      "149.112.112.112"
-      "2620:fe::9"
-    ];
-  };
-
-  # workaround for networkd waiting for shit
-  systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
-    "" # clear old command
-    "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
-  ];
-
-  systemd.network = {
-    enable = true;
-
-    networks."10-ether" = {
-      matchConfig.MACAddress = "e8:80:88:2f:c6:70";
-      networkConfig = {
-        DHCP = "yes";
-        IPv6AcceptRA = true;
-      };
-    };
-    networks."10-dock" = {
-      matchConfig.Name = "enp5s0f4u1u1";
-      networkConfig = {
-        DHCP = "yes";
-        IPv6AcceptRA = true;
-      };
-      dhcpV4Config = { RouteMetric = 666; };
-    };
-    networks."10-wlan" = {
-      # matchConfig.MACAddress = "04:7b:cb:2a:aa:8c";
-      matchConfig.Name = "wlan0";
-      networkConfig = {
-        DHCP = "yes";
-        IPv6AcceptRA = true;
-      };
-    };
-  };
-}
--- a/hosts/toaster/network/default.nix
+++ b/hosts/toaster/network/default.nix
@ -0,0 +1,39 @@
+{ lib, config, ... }: {
+  imports = [
+    ./mullvad.nix
+    ./dumpdvb.nix
+    ./zw.nix
+  ];
+
+  # Networkmanager shouldn't interfere with systemd managed interfaces
+  networking.networkmanager.unmanaged =
+    let
+      systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs);
+    in
+    systemd_netdevs;
+
+    systemd.network ={
+      enable = true;
+      wait-online.enable = false; # uplink is managed by networkmanager
+    };
+
+    users.users."0xa".extraGroups = [ "networkmanager" ];
+
+    networking = {
+      hostName = "toaster";
+      firewall.enable = true;
+      wireguard.enable = true;
+    };
+
+    services.resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+      fallbackDns = [
+        "9.9.9.9"
+        "2620:fe::fe"
+        "149.112.112.112"
+        "2620:fe::9"
+      ];
+    };
+
+  }
--- a/hosts/toaster/network/dumpdvb.nix
+++ b/hosts/toaster/network/dumpdvb.nix
@ -0,0 +1,34 @@
+{ config, ... }: {
+  systemd.network = {
+    # Wireguard
+    # Dump-dvb
+    netdevs."30-wg-dumpdvb" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-dumpdvb";
+        Description = "dvb.solutions enterprise network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/dvb".path;
+      };
+      wireguardPeers = [
+        {
+          PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
+          Endpoint = "academicstrokes.com:51820";
+          AllowedIPs = [ "10.13.37.0/24" ];
+          PersistentKeepalive = 25;
+        }
+      ];
+    };
+    networks."30-wg-dumpdvb" = {
+      matchConfig.Name = "wg-dumpdvb";
+      networkConfig = {
+        Address = "10.13.37.3/24";
+        IPv6AcceptRA = true;
+      };
+      routes = [
+        { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24";  }
+      ];
+    };
+  };
+}
--- a/hosts/toaster/network/mullvad.nix
+++ b/hosts/toaster/network/mullvad.nix
@ -0,0 +1,74 @@
+{ config, lib, ... }: {
+  systemd.network =
+    let
+      pubkey =  "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
+      endpoint = "92.60.40.209:51820";
+      addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ];
+    in
+    {
+      netdevs."10-wg-mullvad" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg-mullvad";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
+          FirewallMark = 34952; # 0x8888
+          RouteTable = "off";
+        };
+        wireguardPeers = [
+          {
+            PublicKey = pubkey;
+            Endpoint = endpoint;
+            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+      networks."10-wg-mullvad" = {
+        matchConfig.Name = "wg-mullvad";
+        address = addr;
+        networkConfig = {
+          DNS = "10.64.0.1";
+          DNSDefaultRoute = true;
+          Domains = [ "~." ];
+        };
+        routes = map
+        (gate: {
+            Gateway = gate;
+            Table = 1000;
+        }) [
+          "0.0.0.0"
+          "::"
+        ];
+
+        routingPolicyRules = [ {
+          Family = "both";
+          FirewallMark = 34952; # 0x8888
+          InvertRule = true;
+          Table = "1000";
+          Priority = 100;
+        }
+        {
+          Family = "both";
+          SuppressPrefixLength = 0;
+          Table = "main";
+          Priority = 90;
+        } ] ++ map (net: {
+          # only route global addresses over VPN
+          Priority = 80;
+          To = net;
+        }) [
+        # Mullvad endpoint
+        "92.60.40.209/32"
+        # "10.0.0.0/8"
+        "10.13.37.0/24"
+        "10.66.66.0/24"
+        # "172.16.0.0/12"
+        "172.16.0.0/12"
+        # "182.168.0.0/16"
+        "182.168.0.0/16"
+        # "fc00::/7"
+      ];
+    };
+  };
+}
--- a/hosts/toaster/network/oxalab.nix
+++ b/hosts/toaster/network/oxalab.nix
--- a/hosts/toaster/network/zw.nix
+++ b/hosts/toaster/network/zw.nix
@ -0,0 +1,56 @@
+{ config, ... }: {
+    # zentralwerk
+    systemd.network = {
+      netdevs."10-wg-zentralwerk" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg-zentralwerk";
+          Description = "Tunnel to the best basement in Dresden";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."wg/zw".path;
+          RouteTable = "off";
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
+            Endpoint = "81.201.149.152:1337";
+            AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
+            PersistentKeepalive = 25;
+          }
+        ];
+      };
+      networks."10-wg-zentralwerk" = {
+        matchConfig.Name = "wg-zentralwerk";
+        networkConfig = {
+          Address = "172.20.76.226/21";
+          IPv6AcceptRA = true;
+          DNS = "172.20.73.8";
+          Domains = [
+            "~hq.c3d2.de"
+            "~serv.zentralwerk.org"
+            "~hq.zentralwerk.org"
+            "~cluster.zentralwerk.org"
+          ];
+        };
+        routes = [
+          {
+            Gateway = "172.20.76.225";
+            Destination = "172.20.72.0/21";
+            Metric = 1023;
+          }
+          {
+            Gateway = "172.20.76.225";
+            Destination = "172.20.90.0/24";
+            Metric = 1023;
+          }
+          {
+            Gateway = "172.20.76.225";
+            Destination = "172.22.99.0/24";
+            Metric = 1023;
+          }
+
+        ];
+      };
+    };
+  }
--- a/hosts/toaster/stateful-network.nix
+++ b/hosts/toaster/stateful-network.nix
@ -1,21 +0,0 @@
-{ pkgs, ... }: {
-  users.users."0xa".extraGroups = [ "networkmanager" ];
-
-  networking = {
-    hostName = "toaster";
-    firewall.enable = true;
-    wireguard.enable = true;
-  };
-
-  services.resolved = {
-    enable = true;
-    dnssec = "allow-downgrade";
-    fallbackDns = [
-      "9.9.9.9"
-      "2620:fe::fe"
-      "149.112.112.112"
-      "2620:fe::9"
-    ];
-  };
-
-}
--- a/secrets/toaster/secrets.yaml
+++ b/secrets/toaster/secrets.yaml
@ -1,5 +1,5 @@
 wg:
-    mullvad: ENC[AES256_GCM,data:9wgZKgcVGBIkNrfeurwDOCWLE6t2z7bN5KaUAeiRAcGRKO5uAkVCp0kpWZc=,iv:c1XM8GXEeAuDM47pTA5Pa6lPCI0fwau1uZdSaDcBykI=,tag:pSjmhHw7mt7hGTLpXFPsHQ==,type:str]
+    mullvad: ENC[AES256_GCM,data:P9acMXooRll8i81RIBVb0OxFdzx2WsGgVKqX+BoV7cvPGWJK5FRIF8KAcqg=,iv:kq+3guPx2+reDqmfHuhWEvUsKNynG+t7LYRNp5kFLoQ=,tag:Aj0P7IrrTdRK59aBMjPx5Q==,type:str]
    zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
    oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str]
    dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
@ -23,8 +23,8 @@ sops:
            bDRBWjJJSDl3bDkxenR1S2NMZW91dW8Kzhc/6HeEJfLGDaKdRSbpaMdR7XaBxdQI
            jnAySJCGsXxCPebRtCIdDnoLjdqdzEggEhRh27JOpeOiEukLmakPMA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-02T22:58:36Z"
-    mac: ENC[AES256_GCM,data:P0+aneAIlNDNJBR6nOHTyosrxgXnY9qJ/MSsaFo1Op4jwNMXjPkzM3ZkgigHLsxKQi+HwOxEclnPEPGOKN0pB8bYLgBixiJf/hH9sATD1qirxgkVNcFe0zeXZ27ilxs3yf9A7fqHidmk4fEvAuZR+cS5tvSIzh8z9WghIM3VPIc=,iv:4c59ldPq+lMCIt7/3Cpl9Ou+NQdozka26/e7BcwozdY=,tag:ARDNS16m5M8IgDeMJ6/rDQ==,type:str]
+    lastmodified: "2025-01-03T16:03:33Z"
+    mac: ENC[AES256_GCM,data:+Dxu5qh09OJ9KDnzl4IkX4ZjB0wkn6o2tzV+OsvKwOH1p51ezWxf7LIpjLumk9tbNm+0gRD/ZPlufxIA+jHydWxBty/JvnjZjYaaaBh2LeUpqM24PnRn9jReSVki5yRGoonXxZ7OjUpgX26wKSff7iQh2DjMVGdL6E4OhBJL6iM=,iv:kUDVXycpcyfiPgMe9u1KCrxIvUEEtIZr/z6h5rdCY4c=,tag:xTsdPaxtlIVUrHjcU2uerg==,type:str]
    pgp:
        - created_at: "2025-01-02T22:57:16Z"
          enc: |-