router: firewall: allow ssh, wireguard input globally

hosts/router/default.nix

@@ -8,6 +8,7 @@ in
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./ifconfig.nix
+      ./wireguard.nix
       ./firewall.nix
       ./dns.nix
       ./kea.nix

hosts/router/firewall.nix

@@ -85,8 +85,10 @@ in
     family = "inet";
     content = ''
       ${nftIdentifiers}
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { 18596 }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
           elements = {
@@ -133,6 +135,10 @@ in
           # but apparently not.
           ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
 
+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
@@ -157,8 +163,7 @@ in
       }
 
       chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific stuff from WAN
       }
 
       chain zone_wan_forward {
@@ -180,8 +185,8 @@ in
           ip protocol icmp accept
 
           # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
       }
 
       chain zone_lan_forward {

hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
+pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
+--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
+'ÈzÆ€{gÈid\{çEâ•Ätp¢U×g2QC3gßÈJGªV1Ð6·WG_E&»vŽó)°&òüñÞ‘N"§ƒ¯n©_TÍ’¸

hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
+DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
+--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
+r<EFBFBD>¸›Ô¶aõyY/C¡£JæB®Xº!ñ"F
+¿h‹­Ò(ñL>Œ()Üó»û<C2BB>òS;·}}2ОO.¯óhoqYðK"cˆEÛÕJM?-ËO

hosts/router/secrets/wireguard/wg0-private-key.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
+IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
+--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
+萭E	7搸0`d鑆(o赪饱籗@
傐瓩渿p瓥樼豘羳袃T砬枉禪堺+*齖Q嵗[龘巷xё29瞚5錵

hosts/router/services.nix

@@ -52,7 +52,7 @@ in
     };
   };
 
-  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
   systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
   services.caddy = {
     enable = true;

hosts/router/wireguard.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+
+  wg0Peers = [
+    {
+      name = "Yura-TPX13";
+      allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
+      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
+      pskEnabled = true;
+    }
+    {
+      name = "Yura-Pixel7Pro";
+      allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
+      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
+      pskEnabled = true;
+    }
+    {
+      name = "AsusS513";
+      allowedIPs = [ "10.6.0.100/32" ];
+      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
+      pskEnabled = true;
+    }
+  ];
+in
+{
+  secrix.services.systemd-networkd.secrets = let
+    pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
+    peerToSecretAttrs = peer: {
+      name = "wg0-peer-${peer.name}-psk";
+      value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age;
+    };
+    peerSecretsList = map peerToSecretAttrs pskEnabledPeers;
+    peerSecrets = builtins.listToAttrs peerSecretsList;
+  in
+  {
+    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+  } // peerSecrets;
+
+  systemd.network.netdevs = {
+    "10-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path;
+        ListenPort = 18596;
+      };
+      wireguardPeers = map (peer: {
+        AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs;
+        PublicKey = peer.publicKey;
+        PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
+      }) wg0Peers;
+    };
+  };
+}