dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

tunnel munin node traffic on lan through wireguard

Browse source
This commit is contained in:
Tim Schubert 2024-03-23 18:37:56 +01:00
parent 017725d2cf
commit 7d1047e5fe
Signed by: dadada
SSH key fingerprint: SHA256:bFAjFH3hR8zRBaJjzQDjc3o4jqoq5EZ87l+KXEjxIz0
7 changed files with 87 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/agares/configuration.nix
View file

@ -86,7 +86,7 @@
enable = true; enable = true;
extraConfig = '' extraConfig = ''
host_name ${config.networking.hostName} host_name ${config.networking.hostName}
cidr_allow 192.168.101.184/32 cidr_allow 10.3.3.3/32
''; '';
}; };

36
nixos/agares/network.nix
View file

@ -63,6 +63,26 @@ in
}; };
}]; }];
}; };
"20-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path;
ListenPort = 51235;
};
wireguardPeers = lib.singleton {
wireguardPeerConfig = {
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
AllowedIPs = [
"10.3.3.3/32"
"fd42:9c3b:f96d:121::3/128"
"fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
];
};
};
};
}; };
networks = networks =
let let
@ -126,6 +146,17 @@ in
} }
]; ];
}; };
"30-wg0" = {
matchConfig.Name = "wg0";
address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
DHCP = "no";
networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = false;
routes = [
{ routeConfig = { Destination = "10.3.3.1/24"; }; }
{ routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
];
};
"30-lan" = subnet "lan.10" "101" // { "30-lan" = subnet "lan.10" "101" // {
dhcpServerStaticLeases = [ dhcpServerStaticLeases = [
{ {
@ -237,6 +268,11 @@ in
owner = "systemd-network"; owner = "systemd-network";
}; };
age.secrets."wg-privkey-wg0" = {
file = "${config.dadada.secrets.path}/agares-wg0-key.age";
owner = "systemd-network";
};
boot.kernel.sysctl = { boot.kernel.sysctl = {
# Enable forwarding for interface # Enable forwarding for interface
"net.ipv4.conf.all.forwarding" = "1"; "net.ipv4.conf.all.forwarding" = "1";

6
nixos/agares/rules.nft
View file

@ -64,13 +64,17 @@ table inet filter {
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
} }
chain input_wg0 {
tcp dport 4949 accept comment "Munin node"
}
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state {established, related} counter accept comment "Accept packets from established and related connections" ct state {established, related} counter accept comment "Accept packets from established and related connections"
ct state invalid counter drop comment "Early drop of invalid packets" ct state invalid counter drop comment "Early drop of invalid packets"
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt } iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 }
} }
# Only works if hardware flow offloading is available # Only works if hardware flow offloading is available

42
nixos/ninurta/configuration.nix
View file

@ -6,9 +6,9 @@ let
"backup1.dadada.li" "backup1.dadada.li"
]; ];
secretsPath = config.dadada.secrets.path; secretsPath = config.dadada.secrets.path;
wg0PrivKey = "pruflas-wg0-key"; uwuPrivKey = "pruflas-wg0-key";
wgHydraPrivKey = "pruflas-wg-hydra-key"; wgHydraPrivKey = "pruflas-wg-hydra-key";
wg0PresharedKey = "pruflas-wg0-preshared-key"; uwuPresharedKey = "pruflas-wg0-preshared-key";
hydraGitHubAuth = "hydra-github-authorization"; hydraGitHubAuth = "hydra-github-authorization";
initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key"; initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key";
softServePort = 23231; softServePort = 23231;
@ -198,12 +198,13 @@ in
"v /mnt/storage/backups 0755 root root - -" "v /mnt/storage/backups 0755 root root - -"
]; ];
age.secrets.${wg0PrivKey} = { age.secrets.${uwuPrivKey} = {
file = "${secretsPath}/${wg0PrivKey}.age"; file = "${secretsPath}/${uwuPrivKey}.age";
owner = "systemd-network"; owner = "systemd-network";
}; };
age.secrets.${wg0PresharedKey} = {
file = "${secretsPath}/${wg0PresharedKey}.age"; age.secrets.${uwuPresharedKey} = {
file = "${secretsPath}/${uwuPresharedKey}.age";
owner = "systemd-network"; owner = "systemd-network";
}; };
age.secrets.${wgHydraPrivKey} = { age.secrets.${wgHydraPrivKey} = {
@ -285,8 +286,8 @@ in
UseDNS = true; UseDNS = true;
}; };
}; };
"10-surgat" = { "30-wg0" = {
matchConfig.Name = "surgat"; matchConfig.Name = "wg0";
address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" ]; address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" ];
DHCP = "no"; DHCP = "no";
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
@ -296,7 +297,7 @@ in
{ routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
]; ];
}; };
"10-uwu" = { "30-uwu" = {
matchConfig.Name = "uwu"; matchConfig.Name = "uwu";
address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ]; address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ];
dns = [ "10.11.0.1%uwu#uwu" ]; dns = [ "10.11.0.1%uwu#uwu" ];
@ -311,38 +312,47 @@ in
}; };
}; };
netdevs = { netdevs = {
"10-surgat" = { "20-wg0" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "surgat"; Name = "wg0";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
ListenPort = 51235; ListenPort = 51235;
}; };
wireguardPeers = [{ wireguardPeers = [
{
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
Endpoint = "surgat.dadada.li:51235"; Endpoint = "surgat.dadada.li:51235";
}; };
}]; }
{
wireguardPeerConfig = {
PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU=";
AllowedIPs = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
Endpoint = "192.168.101.1:51235";
}; };
"10-uwu" = { }
];
};
"20-uwu" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "uwu"; Name = "uwu";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path; PrivateKeyFile = config.age.secrets.${uwuPrivKey}.path;
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ]; AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path; PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path;
Endpoint = "53c70r.de:51820"; Endpoint = "53c70r.de:51820";
}; };
}]; }];

4
nixos/ninurta/monitoring.nix
View file

@ -15,13 +15,13 @@
enable = true; enable = true;
hosts = '' hosts = ''
[${config.networking.hostName}] [${config.networking.hostName}]
address localhost address 10.3.3.3
[surgat] [surgat]
address 10.3.3.1 address 10.3.3.1
[agares] [agares]
address 192.168.101.1 address 10.3.3.2
''; '';
}; };
services.munin-node.enable = true; services.munin-node.enable = true;

10
secrets/agares-wg0-key.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0
vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ
-> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM
AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk
-> DJZq-grease 9))O09 z2-
ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23
qlqnskWvo+SX3JF7NH0yQf53dZJU
--- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk
Ű(E<>/—P(<28>©Ő|JĄ€řŞëŘéŇ<C587>zń`JOÁ2“ŚÔ–‚Űńd3qÁ±¤‡O­Ú!”8ňůHN3\°ĹŹę‘

1
secrets/secrets.nix
View file

@ -27,6 +27,7 @@ in
"etc-ppp-chap-secrets.age".publicKeys = [ systems.agares dadada ]; "etc-ppp-chap-secrets.age".publicKeys = [ systems.agares dadada ];
"etc-ppp-telekom-secret.age".publicKeys = [ systems.agares dadada ]; "etc-ppp-telekom-secret.age".publicKeys = [ systems.agares dadada ];
"wg-privkey-vpn-dadada-li.age".publicKeys = [ systems.agares dadada ]; "wg-privkey-vpn-dadada-li.age".publicKeys = [ systems.agares dadada ];
"agares-wg0-key.age".publicKeys = [ systems.agares dadada ];
} // } //
backupSecrets "ninurta" // backupSecrets "ninurta" //
backupSecrets "gorgon" // backupSecrets "gorgon" //