From 7d1047e5fe06d101a2b06c1b704d4ed994d20553 Mon Sep 17 00:00:00 2001 From: dadada Date: Sat, 23 Mar 2024 18:37:56 +0100 Subject: [PATCH] tunnel munin node traffic on lan through wireguard --- nixos/agares/configuration.nix | 2 +- nixos/agares/network.nix | 36 ++++++++++++++++++++++ nixos/agares/rules.nft | 6 +++- nixos/ninurta/configuration.nix | 54 +++++++++++++++++++-------------- nixos/ninurta/monitoring.nix | 4 +-- secrets/agares-wg0-key.age | 10 ++++++ secrets/secrets.nix | 1 + 7 files changed, 87 insertions(+), 26 deletions(-) create mode 100644 secrets/agares-wg0-key.age diff --git a/nixos/agares/configuration.nix b/nixos/agares/configuration.nix index 4e553e4..c8ab058 100644 --- a/nixos/agares/configuration.nix +++ b/nixos/agares/configuration.nix @@ -86,7 +86,7 @@ enable = true; extraConfig = '' host_name ${config.networking.hostName} - cidr_allow 192.168.101.184/32 + cidr_allow 10.3.3.3/32 ''; }; diff --git a/nixos/agares/network.nix b/nixos/agares/network.nix index 0eeaa44..6ed3f1c 100644 --- a/nixos/agares/network.nix +++ b/nixos/agares/network.nix @@ -63,6 +63,26 @@ in }; }]; }; + "20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path; + ListenPort = 51235; + }; + wireguardPeers = lib.singleton { + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; + }; + }; }; networks = let @@ -126,6 +146,17 @@ in } ]; }; + "30-wg0" = { + matchConfig.Name = "wg0"; + address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { routeConfig = { Destination = "10.3.3.1/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } + ]; + }; "30-lan" = subnet "lan.10" "101" // { dhcpServerStaticLeases = [ { @@ -237,6 +268,11 @@ in owner = "systemd-network"; }; + age.secrets."wg-privkey-wg0" = { + file = "${config.dadada.secrets.path}/agares-wg0-key.age"; + owner = "systemd-network"; + }; + boot.kernel.sysctl = { # Enable forwarding for interface "net.ipv4.conf.all.forwarding" = "1"; diff --git a/nixos/agares/rules.nft b/nixos/agares/rules.nft index a270aab..4b41bea 100644 --- a/nixos/agares/rules.nft +++ b/nixos/agares/rules.nft @@ -64,13 +64,17 @@ table inet filter { udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" } + chain input_wg0 { + tcp dport 4949 accept comment "Munin node" + } + chain input { type filter hook input priority filter; policy drop; ct state {established, related} counter accept comment "Accept packets from established and related connections" ct state invalid counter drop comment "Early drop of invalid packets" - iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt } + iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 } } # Only works if hardware flow offloading is available diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index 085b5e1..aea6d25 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -6,9 +6,9 @@ let "backup1.dadada.li" ]; secretsPath = config.dadada.secrets.path; - wg0PrivKey = "pruflas-wg0-key"; + uwuPrivKey = "pruflas-wg0-key"; wgHydraPrivKey = "pruflas-wg-hydra-key"; - wg0PresharedKey = "pruflas-wg0-preshared-key"; + uwuPresharedKey = "pruflas-wg0-preshared-key"; hydraGitHubAuth = "hydra-github-authorization"; initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key"; softServePort = 23231; @@ -198,12 +198,13 @@ in "v /mnt/storage/backups 0755 root root - -" ]; - age.secrets.${wg0PrivKey} = { - file = "${secretsPath}/${wg0PrivKey}.age"; + age.secrets.${uwuPrivKey} = { + file = "${secretsPath}/${uwuPrivKey}.age"; owner = "systemd-network"; }; - age.secrets.${wg0PresharedKey} = { - file = "${secretsPath}/${wg0PresharedKey}.age"; + + age.secrets.${uwuPresharedKey} = { + file = "${secretsPath}/${uwuPresharedKey}.age"; owner = "systemd-network"; }; age.secrets.${wgHydraPrivKey} = { @@ -285,8 +286,8 @@ in UseDNS = true; }; }; - "10-surgat" = { - matchConfig.Name = "surgat"; + "30-wg0" = { + matchConfig.Name = "wg0"; address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" ]; DHCP = "no"; networkConfig.IPv6AcceptRA = false; @@ -296,7 +297,7 @@ in { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } ]; }; - "10-uwu" = { + "30-uwu" = { matchConfig.Name = "uwu"; address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ]; dns = [ "10.11.0.1%uwu#uwu" ]; @@ -311,38 +312,47 @@ in }; }; netdevs = { - "10-surgat" = { + "20-wg0" = { netdevConfig = { Kind = "wireguard"; - Name = "surgat"; + Name = "wg0"; }; wireguardConfig = { PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; ListenPort = 51235; }; - wireguardPeers = [{ - wireguardPeerConfig = { - PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; - PersistentKeepalive = 25; - Endpoint = "surgat.dadada.li:51235"; - }; - }]; + wireguardPeers = [ + { + wireguardPeerConfig = { + PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; + AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; + PersistentKeepalive = 25; + Endpoint = "surgat.dadada.li:51235"; + }; + } + { + wireguardPeerConfig = { + PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; + AllowedIPs = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ]; + Endpoint = "192.168.101.1:51235"; + }; + } + ]; }; - "10-uwu" = { + "20-uwu" = { netdevConfig = { Kind = "wireguard"; Name = "uwu"; }; wireguardConfig = { - PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path; + PrivateKeyFile = config.age.secrets.${uwuPrivKey}.path; }; wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ]; PersistentKeepalive = 25; - PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path; + PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; Endpoint = "53c70r.de:51820"; }; }]; diff --git a/nixos/ninurta/monitoring.nix b/nixos/ninurta/monitoring.nix index 552dc4d..e3dfa8a 100644 --- a/nixos/ninurta/monitoring.nix +++ b/nixos/ninurta/monitoring.nix @@ -15,13 +15,13 @@ enable = true; hosts = '' [${config.networking.hostName}] - address localhost + address 10.3.3.3 [surgat] address 10.3.3.1 [agares] - address 192.168.101.1 + address 10.3.3.2 ''; }; services.munin-node.enable = true; diff --git a/secrets/agares-wg0-key.age b/secrets/agares-wg0-key.age new file mode 100644 index 0000000..9938b85 --- /dev/null +++ b/secrets/agares-wg0-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0 +vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ +-> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM +AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk +-> DJZq-grease 9))O09 z2- +ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23 +qlqnskWvo+SX3JF7NH0yQf53dZJU +--- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk +(E/P(|Jؑҋz`JO2Ԗd3qO!8HN3\i \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0328299..7da57e3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -27,6 +27,7 @@ in "etc-ppp-chap-secrets.age".publicKeys = [ systems.agares dadada ]; "etc-ppp-telekom-secret.age".publicKeys = [ systems.agares dadada ]; "wg-privkey-vpn-dadada-li.age".publicKeys = [ systems.agares dadada ]; + "agares-wg0-key.age".publicKeys = [ systems.agares dadada ]; } // backupSecrets "ninurta" // backupSecrets "gorgon" //