From 465b4441f6f6e69ba6aec14b1ffb0974eedbc61a Mon Sep 17 00:00:00 2001
From: albert <albert@sysctl.io>
Date: Mon, 24 Feb 2025 12:46:26 -0800
Subject: [PATCH] Update wireguard
---
nixos/hosts/backups-rpi4/wireguard.nix | 20 +----
nixos/hosts/framework-server/default.nix | 2 +-
nixos/hosts/framework-server/wireguard.nix | 20 ++---
nixos/hosts/framework13/hibernate.nix | 4 +-
nixos/hosts/frankfurt-linode-01/wireguard.nix | 2 +-
nixos/hosts/milan-linode-01/default.nix | 2 +-
nixos/hosts/osaka-linode-01/default.nix | 2 -
nixos/hosts/osaka-linode-01/firewall.nix | 13 ++++
nixos/hosts/osaka-linode-01/wireguard.nix | 77 -------------------
nixos/hosts/warsaw-ovh-01/wireguard.nix | 8 --
10 files changed, 28 insertions(+), 122 deletions(-)
create mode 100644 nixos/hosts/osaka-linode-01/firewall.nix
delete mode 100644 nixos/hosts/osaka-linode-01/wireguard.nix
diff --git a/nixos/hosts/backups-rpi4/wireguard.nix b/nixos/hosts/backups-rpi4/wireguard.nix
index ecf1ad9d..ffde5137 100644
--- a/nixos/hosts/backups-rpi4/wireguard.nix
+++ b/nixos/hosts/backups-rpi4/wireguard.nix
@@ -1,11 +1,9 @@
-{ pkgs, config, lib, ... }: {
+{ ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
- 10.100.0.1 osaka-linode-01
- 10.100.0.2 framework-server-wg
- 10.100.0.3 backups-rpi4
- 10.100.0.4 frankfurt-linode-01
+ 10.100.0.3 backups-rpi4-wg
+ 10.100.0.4 frankfurt-linode-01-wg
'';
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
@@ -21,7 +19,6 @@
};
# Wireguard Forwarder
- networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
@@ -29,23 +26,14 @@
ips = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
- # Testing
peers = [
- { # osaka-linode-01
- publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
- presharedKeyFile = "/run/secrets/preshared_key";
- persistentKeepalive = 5;
- allowedIPs = [ "10.100.0.1/32" ];
- endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
- }
{ # frankfurt-linode-01
- publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
+ publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.4/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
-
];
};
};
diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix
index 5d24b3ae..ff3b4377 100644
--- a/nixos/hosts/framework-server/default.nix
+++ b/nixos/hosts/framework-server/default.nix
@@ -10,7 +10,7 @@
../../common/services/docker.nix
../../common/services/tailscale-autoconnect.nix
../../common/services/forgejo-runner.nix
- ../../common/services/syncthing.nix
+ ../../common/services/syncthing/default.nix
# Disabling -- I don't know why but this all of a sudden breaks Headscale.
# Sep 12 2024
# ../../common/modules/fail2ban/traefik.nix
diff --git a/nixos/hosts/framework-server/wireguard.nix b/nixos/hosts/framework-server/wireguard.nix
index 25890d30..bb9d5405 100644
--- a/nixos/hosts/framework-server/wireguard.nix
+++ b/nixos/hosts/framework-server/wireguard.nix
@@ -2,7 +2,6 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
- 10.100.0.1 osaka-linode-01-wg
10.100.0.2 framework-server-wg
10.100.0.4 frankfurt-linode-01-wg
'';
@@ -21,27 +20,20 @@
# Wireguard Forwarder
networking.wireguard = {
- enable = true;
+ enable = false;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
- peers = [
- { # osaka-linode-01
- publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
+ peers = [
+ { # frankfurt-linode-01
+ publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
- allowedIPs = [ "10.100.0.1/32" ];
- endpoint = "172.234.84.222:51820"; # osaka-linode-01
+ allowedIPs = [ "10.100.0.4/32" ];
+ endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
-# { # frankfurt-linode-01
-# publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
-# presharedKeyFile = "/run/secrets/preshared_key";
-# persistentKeepalive = 5;
-# allowedIPs = [ "10.100.0.4/32" ];
-# endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
-# }
];
};
};
diff --git a/nixos/hosts/framework13/hibernate.nix b/nixos/hosts/framework13/hibernate.nix
index 2875a022..ec5afb31 100644
--- a/nixos/hosts/framework13/hibernate.nix
+++ b/nixos/hosts/framework13/hibernate.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
let
hibernateEnvironment = {
@@ -43,4 +43,4 @@ in {
serviceConfig.Type = "simple";
};
-}
\ No newline at end of file
+}
diff --git a/nixos/hosts/frankfurt-linode-01/wireguard.nix b/nixos/hosts/frankfurt-linode-01/wireguard.nix
index 0b7b8a24..e2927f47 100644
--- a/nixos/hosts/frankfurt-linode-01/wireguard.nix
+++ b/nixos/hosts/frankfurt-linode-01/wireguard.nix
@@ -2,8 +2,8 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
- 10.100.0.1 osaka-linode-01-wg
10.100.0.3 backups-rpi4-wg
+ 10.100.0.2 warsaw-ovh-01-wg
10.100.0.4 frankfurt-linode-01-wg
'';
diff --git a/nixos/hosts/milan-linode-01/default.nix b/nixos/hosts/milan-linode-01/default.nix
index fd4f1dea..a020c60f 100644
--- a/nixos/hosts/milan-linode-01/default.nix
+++ b/nixos/hosts/milan-linode-01/default.nix
@@ -2,8 +2,8 @@
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
../../common/services/tailscale-autoconnect.nix
- ./firewall.nix
../../common/services/docker.nix
+ ./firewall.nix
(import ../../common/containers/derp.nix { domainName = "milan.sysctl.io"; })
];
diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix
index 17dec1ad..ec52770b 100644
--- a/nixos/hosts/osaka-linode-01/default.nix
+++ b/nixos/hosts/osaka-linode-01/default.nix
@@ -4,8 +4,6 @@
(import ../../common/containers/derp.nix { domainName = "osaka.sysctl.io"; })
../../common/services/tailscale-autoconnect.nix
../../common/services/docker.nix
- ./firewall.nix
- ./wireguard.nix
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix
new file mode 100644
index 00000000..6152094c
--- /dev/null
+++ b/nixos/hosts/osaka-linode-01/firewall.nix
@@ -0,0 +1,13 @@
+{ ... }: {
+ networking = {
+ firewall = {
+ enable = true;
+ allowedTCPPorts = [
+ 1443 # Headscale DERP (tcp)
+ ];
+ allowedUDPPorts = [
+ 3478 # Headscale DERP (udp)
+ ];
+ };
+ };
+}
diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix
deleted file mode 100644
index e88357b5..00000000
--- a/nixos/hosts/osaka-linode-01/wireguard.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-{ hostname, pkgs, ... }: {
-
- # Allow these hosts to directly communicate with their hostnames
- networking.extraHosts = ''
- 10.100.0.1 osaka-linode-01-wg
- 10.100.0.3 backups-rpi4-wg
- 10.100.0.4 frankfurt-linode-01-wg
- '';
-
- networking.firewall.allowedUDPPorts = [ 51820 ];
- networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
-
- # Set up the secrets file:
- sops.secrets."wireguard_key" = {
- owner = "root";
- sopsFile = ../../../secrets/hosts/${hostname}.yaml;
- };
-
- sops.secrets."preshared_key" = {
- owner = "root";
- sopsFile = ../../../secrets/wireguard.yaml;
- };
-
- # Wireguard Forwarder
- boot.kernel.sysctl = {
- "net.ipv4.conf.all.forwarding" = 1;
- "net.ipv4.conf.default.forwarding" = 1;
- };
-
- networking.wireguard = {
- enable = true;
- interfaces = {
- "wireguard0" = {
- ips = [
- "10.100.0.1/24"
- "10.100.1.1/24"
- ];
- listenPort = 51820;
- privateKeyFile = "/run/secrets/wireguard_key";
- postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
- postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
- peers = [
- { # framework-server / ovh-server
- publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
- presharedKeyFile = "/run/secrets/preshared_key";
- allowedIPs = [ "10.100.0.2/32" ];
- persistentKeepalive = 5;
- }
- { # backups-rpi4
- publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs=";
- presharedKeyFile = "/run/secrets/preshared_key";
- allowedIPs = [ "10.100.0.3/32" ];
- persistentKeepalive = 5;
- }
- { # framewrk-server docker:wg-enshrouded
- publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI=";
- presharedKeyFile = "/run/secrets/preshared_key";
- allowedIPs = [ "10.100.1.2/32" ];
- persistentKeepalive = 5;
- }
- { # framewrk-server docker:wg-mailserver
- publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI=";
- presharedKeyFile = "/run/secrets/preshared_key";
- allowedIPs = [ "10.100.1.3/32" ];
- persistentKeepalive = 5;
- }
- { # framework-server docker:wg-vintage-story
- publicKey = "ooDzRceUrh/Ie8pjkOEPZ3ge/GJrj/+lVzzdnybC0jY=";
- presharedKeyFile = "/run/secrets/preshared_key";
- allowedIPs = [ "10.100.1.5/32" ];
- persistentKeepalive = 5;
- }
- ];
- };
- };
- };
-}
diff --git a/nixos/hosts/warsaw-ovh-01/wireguard.nix b/nixos/hosts/warsaw-ovh-01/wireguard.nix
index 001c0c69..c42ac70f 100644
--- a/nixos/hosts/warsaw-ovh-01/wireguard.nix
+++ b/nixos/hosts/warsaw-ovh-01/wireguard.nix
@@ -2,7 +2,6 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
- 10.100.0.1 osaka-linode-01-wg
10.100.0.2 warsaw-ovh-01-wg
10.100.0.4 frankfurt-linode-01-wg
'';
@@ -28,13 +27,6 @@
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
peers = [
-# { # osaka-linode-01
-# publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
-# presharedKeyFile = "/run/secrets/preshared_key";
-# persistentKeepalive = 5;
-# allowedIPs = [ "10.100.0.1/32" ];
-# endpoint = "172.234.84.222:51820"; # osaka-linode-01
-# }
{ # frankfurt-linode-01
publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";