diff --git a/flake.nix b/flake.nix index 2f8ad34..e4c6996 100644 --- a/flake.nix +++ b/flake.nix @@ -67,6 +67,7 @@ ./hosts/toaster/secure-boot.nix ./modules/chromium.nix ./modules/mail + ./modules/wg ]; }; cloud = nixpkgs-stable.lib.nixosSystem { @@ -80,6 +81,7 @@ ./modules/basic-tools ./modules/server ./modules/binary-caches.nix + ./modules/wg ]; }; minime = nixpkgs-stable.lib.nixosSystem { @@ -92,6 +94,7 @@ ./modules/basic-tools ./modules/server ./modules/binary-caches.nix + ./modules/wg ]; }; }; diff --git a/hosts/cloud/configuration.nix b/hosts/cloud/configuration.nix index 6f8d6aa..9eddac5 100644 --- a/hosts/cloud/configuration.nix +++ b/hosts/cloud/configuration.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ ./hardware-configuration.nix - ./networking.nix # generated at runtime by nixos-infect + ./networking.nix ]; boot.tmp.cleanOnBoot = true; diff --git a/hosts/toaster/network/mullvad.nix b/hosts/toaster/network/mullvad.nix index b8be18a..8ad71b7 100644 --- a/hosts/toaster/network/mullvad.nix +++ b/hosts/toaster/network/mullvad.nix @@ -63,7 +63,8 @@ "${endpoint}/32" # "10.0.0.0/8" "10.13.37.0/24" - "10.66.66.0/24" + # 0xa-mgmt + "10.89.87.0/24" # "172.16.0.0/12" "172.16.0.0/12" # "182.168.0.0/16" diff --git a/modules/wg/default.nix b/modules/wg/default.nix new file mode 100644 index 0000000..cab721b --- /dev/null +++ b/modules/wg/default.nix @@ -0,0 +1,9 @@ +{ ... }: { + imports = [ + # module + ./module.nix + ./options.nix + # networks + ./mgmt.nix + ]; +} diff --git a/modules/wg/mgmt.nix b/modules/wg/mgmt.nix new file mode 100644 index 0000000..87bf9e8 --- /dev/null +++ b/modules/wg/mgmt.nix @@ -0,0 +1,35 @@ +{ config, ... }: +{ + oxalab.wg = [ + { + networkName = "0xa-mgmt"; + CIDRs = [ "10.89.87.0/24" "fd31:185d:722e::/48" ]; + + hosts = { + "cloud" = { + address = [ "10.89.87.1/24" "fd31:185d:722e::1/48" ]; + publicKey = "zKSaw+SXzWgi/T7ByXHqPk1XNXXapoQYB8UPMTRmhm0="; + privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; + endpoint = { + enable = true; + endpoint = "188.245.196.27"; + port = 51820; + publicIface = "enp1s0"; + }; + }; + + "toaster" = { + address = [ "10.89.87.100/24" "fd31:185d:722e::100/48" ]; + publicKey = "H+WeYIBdX7ZHwkgm4BGnF0HF0JULkxyNMcvCviHhmks="; + privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; + }; + "minime" = { + address = [ "10.89.87.10/24" "fd31:185d:722e::10/48" ]; + publicKey = "zN2Dr/ZGMh1Ftparszp22Qnbz2ISJU12iDVatebOHUE="; + privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; + }; + }; + } + ]; + +} diff --git a/modules/wg/module.nix b/modules/wg/module.nix new file mode 100644 index 0000000..84575c7 --- /dev/null +++ b/modules/wg/module.nix @@ -0,0 +1,105 @@ +{ lib +, config +, self +, registry +, ... }: { + + config = + let + currenthost = config.networking.hostName; + wg = config.oxalab.wg; + + # get all the networks we participate in + networks = builtins.filter (net: builtins.hasAttr "${currenthost}" net.hosts) wg; + + # create wg networks + network-attrset = map (net: { + name = "30-wg-${net.networkName}"; + value = { + matchConfig.Name = "wg-${net.networkName}"; + networkConfig = { + Address = net.hosts.${currenthost}.address; + IPv6AcceptRA = false; # for now static IPv6 + } // (if net.hosts.${currenthost}.endpoint.enable then {IPv4Forwarding=true; IPv6Forwarding=true; } else {}); + }; + }) networks; + + systemd-networks = builtins.listToAttrs network-attrset; + + # get all the networks we client in + net-client = builtins.filter (net: !net.hosts.${currenthost}.endpoint.enable) networks; + # get all the networks we are endpoint of + net-endpoint = builtins.filter (net: net.hosts.${currenthost}.endpoint.enable) networks; + + # wg netdevs + # client + netdev-client-list = map (net: { + name = "30-wg-${net.networkName}"; + value = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-${net.networkName}"; + }; + wireguardConfig.PrivateKeyFile = net.hosts.${currenthost}.privateKeyFile; + # for client this is only endpoint for now + wireguardPeers = + let + endpoint = lib.attrsets.filterAttrs (_k: v: v.endpoint.enable) net.hosts; + wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: + { + PersistentKeepalive = 29; + PublicKey = v.publicKey; + Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; + AllowedIPs = net.CIDRs; + }) endpoint; + wg-peers = lib.attrsets.attrValues wg-peers-attrs; + in + wg-peers; + }; + }) net-client; + netdev-client = builtins.listToAttrs netdev-client-list; + + maskip = (net: hostattrs: + if hostattrs.endpoint.enable then hostattrs.address else map (baseaddr: + if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128" + ) (map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address)); + # endpoint + # TODO: this requires bit more logic for allowedIPs if we have more then + # 2 endpoints e.g. for routing client -> endpoint1 -> endpoint2 -> + # client2 + netdev-endpoint-list = map (net: { + name = "30-wg-${net.networkName}"; + value = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-${net.networkName}"; + }; + wireguardConfig.PrivateKeyFile = net.hosts.${currenthost}.privateKeyFile; + wireguardConfig.ListenPort = net.hosts.${currenthost}.endpoint.port; + wireguardPeers = + let + peers = lib.attrsets.filterAttrs (k: _v: k != currenthost) net.hosts; + wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: + { + PersistentKeepalive = 29; + PublicKey = v.publicKey; + # only route to /32 or /128, i.e. single client + AllowedIPs = maskip net v; + } // (if !isNull v.endpoint.endpoint then { Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; } else {})) peers; + wg-peers = lib.attrsets.attrValues wg-peers-attrs; + in + wg-peers; + }; + }) net-endpoint; + netdev-endpoint = builtins.listToAttrs netdev-endpoint-list; + + in + { + # make sure that the networkd and wg are enabled + networking.wireguard.enable = true; + systemd.network.enable = true; + + systemd.network.networks = systemd-networks; + systemd.network.netdevs = netdev-client // netdev-endpoint; + }; + } diff --git a/modules/wg/options.nix b/modules/wg/options.nix new file mode 100644 index 0000000..4f090d0 --- /dev/null +++ b/modules/wg/options.nix @@ -0,0 +1,79 @@ +{ lib +, ...}: +{ + options.oxalab.wg = with lib; + lib.mkOption { + default = []; + type = types.listOf (types.submodule { + options = { + # general network stuff + networkName = mkOption { + type = types.nullOr types.str; + default = null; + }; + CIDRs = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + }; + + hosts = mkOption { + default = {}; + type = types.attrsOf (types.submodule { + options = { + + enable = mkOption { + type = types.bool; + default = true; + }; + address = mkOption { + type = types.listOf types.str; + default = null; + }; + publicKey = mkOption { + type = types.str; + default = null; + }; + privateKeyFile = mkOption { + type = types.path; + default = null; + }; + + endpoint.enable = mkOption { + type = types.bool; + default = false; + }; + endpoint.endpoint = mkOption { + type = types.nullOr types.str; + default = null; + }; + endpoint.port = mkOption { + type = types.nullOr types.int; + default = null; + }; + endpoint.publicIface = mkOption { + type = types.nullOr types.str; + default = null; + }; + + endpoint.extraPeers = mkOption { + default = []; + type = types.listOf (types.submodule { + options = { + address = mkOption { + type = types.listOf types.str; + default = []; + }; + publicKey = mkOption { + type = types.nullOr types.str; + default = null; + }; + }; + }); + }; + }; + }); + }; + }; + }); + }; +}