From 4368fa3920a477ef5d421b3174de933637a4bd12 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Mon, 11 Jul 2022 19:27:51 +0200 Subject: [PATCH] mircowave: use iwd, resolvd and networkmanager --- flake.nix | 6 +- hosts/microwave/configuration.nix | 9 -- hosts/microwave/default.nix | 9 ++ hosts/microwave/network.nix | 157 ++++++++++++++++++++++++++++++ hosts/microwave/secrets.nix | 16 ++- modules/wireguard.nix | 54 ---------- 6 files changed, 179 insertions(+), 72 deletions(-) create mode 100644 hosts/microwave/default.nix create mode 100644 hosts/microwave/network.nix delete mode 100644 modules/wireguard.nix diff --git a/flake.nix b/flake.nix index 15bd5c9..92e6f6f 100644 --- a/flake.nix +++ b/flake.nix @@ -38,16 +38,13 @@ modules = [ sops-nix.nixosModules.sops home-manager.nixosModules.home-manager - ./hosts/microwave/configuration.nix - ./hosts/microwave/secrets.nix - ./hosts/microwave/hardware-configuration.nix + ./hosts/microwave ./modules/graphical.nix ./modules/basic-tools.nix ./modules/gnupg.nix ./modules/hw-accel-intel.nix ./modules/radio.nix ./modules/tlp.nix - ./modules/wireguard.nix ./modules/binary-caches.nix ./modules/science.nix ./modules/mail.nix @@ -55,7 +52,6 @@ ./modules/virtualization.nix ({ pkgs, ... }: { services.throttled.enable = true; - services.influxdb.enable = true; }) ({ pkgs, ... }: { nixpkgs.overlays = [ fenix.overlay ]; diff --git a/hosts/microwave/configuration.nix b/hosts/microwave/configuration.nix index 779e600..35c88f2 100644 --- a/hosts/microwave/configuration.nix +++ b/hosts/microwave/configuration.nix @@ -21,14 +21,6 @@ element-desktop-wayland ]; - networking.firewall.enable = true; - networking = { - hostName = "microwave"; # Define your hostname. - networkmanager.enable = true; - wireguard.enable = true; - - }; - nixpkgs.config.allowUnfree = true; @@ -65,7 +57,6 @@ createHome = true; extraGroups = [ "wheel" - "networkmanager" "wireshark" "video" "libvirtd" diff --git a/hosts/microwave/default.nix b/hosts/microwave/default.nix new file mode 100644 index 0000000..53ff03b --- /dev/null +++ b/hosts/microwave/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + + ./network.nix + ./secrets.nix + ]; +} diff --git a/hosts/microwave/network.nix b/hosts/microwave/network.nix new file mode 100644 index 0000000..4efbae0 --- /dev/null +++ b/hosts/microwave/network.nix @@ -0,0 +1,157 @@ +{ pkgs, config, ... }: { + environment.systemPackages = with pkgs; [ + iwgtk + ]; + networking = { + hostName = "microwave"; # Define your hostname. + firewall.enable = true; + useNetworkd = true; + wireguard.enable = true; + wireless.iwd = { + enable = true; + }; + }; + + services.resolved = { + enable = true; + }; + + # workaround for networkd waiting for shit + systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ + "" # clear old command + "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" + ]; + +systemd.network = { + enable = true; + + # wait-online.ignoredInterfaces = [ "wlan0" "enp53s0" ]; + + # Interfaces on the machine + networks."10-ether" = { + matchConfig = { Name = "enp53s0"; }; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + networks."10-wlan" = { + matchConfig = { Name = "wlan0"; }; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + IgnoreCarrierLoss = true; + }; + }; + + # Wireguard + # Dump-dvb + netdevs."10-wg-dumpdvb" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-dumpdvb"; + Description = "dvb.solutions enterprise network"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; + Endpoint = "academicstrokes.com:51820"; + AllowedIPs = [ "10.13.37.0/24" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + networks."10-wg-dumpdvb" = { + matchConfig = { Name = "wg-dumpdvb"; }; + networkConfig = { + Address = "10.13.37.3"; + IPv6AcceptRA = true; + }; + routes = [ + { routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; } + ]; + }; + + # Dump-dvb + netdevs."10-wg-oxalab" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-oxalab"; + Description = "lab of oxa"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E="; + Endpoint = "95.216.166.21:51820"; + AllowedIPs = [ "10.66.66.0/24" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + networks."10-wg-oxalab" = { + matchConfig = { Name = "wg-oxalab"; }; + networkConfig = { + Address = "10.66.66.10/24"; + IPv6AcceptRA = true; + }; + routes = [ + { routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; } + ]; + }; + + + # zentralwerk + netdevs."10-wg-zentralwerk" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-zentralwerk"; + Description = "Tunnel to the best basement in Dresden"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/wg-zw-seckey".path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; + Endpoint = "81.201.149.152:1337"; + AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + networks."10-wg-zentralwerk" = { + matchConfig = { Name = "wg-zentralwerk"; }; + networkConfig = { + Address = "172.20.76.226"; + IPv6AcceptRA = true; + DNS = "172.20.73.8"; + }; + routes = [ + { + routeConfig = { + Gateway = "172.20.72.4"; + Destination = "172.20.72.0/21"; + }; + } + { + routeConfig = { + Gateway = "172.20.72.4"; + Destination = "172.20.90.0/24"; + }; + } + ]; + }; + }; + } diff --git a/hosts/microwave/secrets.nix b/hosts/microwave/secrets.nix index d7f439c..d5abb96 100644 --- a/hosts/microwave/secrets.nix +++ b/hosts/microwave/secrets.nix @@ -4,9 +4,17 @@ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets = { - "wg/wg-zw-seckey" = { }; - "wg/wg-dvb-seckey" = { }; - "wg/mlwd-nl-seckey" = { }; - "wg/oxalab-seckey" = { }; + "wg/wg-zw-seckey" = { + owner = config.users.users.systemd-network.name; + }; + "wg/wg-dvb-seckey" = { + owner = config.users.users.systemd-network.name; + }; + "wg/mlwd-nl-seckey" = { + owner = config.users.users.systemd-network.name; + }; + "wg/oxalab-seckey" = { + owner = config.users.users.systemd-network.name; + }; }; } diff --git a/modules/wireguard.nix b/modules/wireguard.nix deleted file mode 100644 index 871dc6e..0000000 --- a/modules/wireguard.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, ... }: - -{ - networking.wg-quick.interfaces = { - wg-zw = { - privateKeyFile = config.sops.secrets."wg/wg-zw-seckey".path; - address = [ "172.20.76.226" ]; - dns = [ "172.20.73.8" ]; - peers = [ - { - publicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo="; - endpoint = "81.201.149.152:1337"; - allowedIPs = [ "172.20.72.0/21" "172.22.99.0/24" ]; - } - ]; - }; - - wg-dvb = { - privateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path; - address = [ "10.13.37.3/32" ]; - - peers = [{ - publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; - allowedIPs = [ "10.13.37.0/24" ]; - endpoint = "academicstrokes.com:51820"; - persistentKeepalive = 25; - }]; - }; - - mlwd-nl = { - privateKeyFile = config.sops.secrets."wg/mlwd-nl-seckey".path; - address = [ "10.65.79.164/32" "fc00:bbbb:bbbb:bb01::2:4fa3/128" ]; - dns = [ "193.138.218.74" ]; - - peers = [{ - publicKey = "StMPmol1+QQQQCJyAkm7t+l/QYTKe5CzXUhw0I6VX14="; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - endpoint = "92.60.40.194:51820"; - }]; - }; - - oxalab = { - privateKeyFile = config.sops.secrets."wg/oxalab-seckey".path; - address = [ "10.66.66.10/32" ]; - - peers = [{ - publicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E="; - allowedIPs = [ "10.66.66.0/24" ]; - endpoint = "95.216.166.21:51820"; - persistentKeepalive = 25; - }]; - }; - }; -}