CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:home/refactor
Branches Tags
CaZzzer:master CaZzzer:updates CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama
..
compare: CaZzzer:router/wireguard
Branches Tags
CaZzzer:updates CaZzzer:master CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama

13 Commits
home/refac ... router/wir

Author SHA1 Message Date
Yuri Tatishchev
916bd8cf62 WIP: router: wireguard: finalize wg0 config for now 2025-06-03 19:46:38 -07:00
Yuri Tatishchev
e6a9ab8d29 WIP: router: wireguard: finalize wg0 config for now 2025-06-03 19:27:35 -07:00
Yuri Tatishchev
b39b5abb3e WIP: router: wireguard: finalize wg0 config for now 2025-06-03 19:18:35 -07:00
Yuri Tatishchev
fc4cd6e56f WIP: router: wireguard: move wg0 to vars.ifs, streamline some things 2025-06-02 00:29:17 -07:00
Yuri Tatishchev
fd1e7b4724 WIP: router: wireguard: change wg0 subnets to not conflict with opnsense 2025-06-01 20:44:56 -07:00
Yuri Tatishchev
378d3a53b3 WIP: router: wireguard: slighly more successful conversion of peers to attrset 2025-06-01 20:44:56 -07:00
Yuri Tatishchev
38ece9125b WIP: router: wireguard: someone forgot to add the network config for the wireguard interface 2025-06-01 20:44:55 -07:00
Yuri Tatishchev
1c0871f54e WIP: router: wireguard: attempt to convert wg0Peers from list to attrset (gone not well) 2025-06-01 20:44:54 -07:00
Yuri Tatishchev
4641775e54 router: firewall: add wireguard interface to lan zone (stupidity moment) 2025-06-01 20:44:54 -07:00
Yuri Tatishchev
3fb966c728 router: firewall: allow ssh, wireguard input globally 2025-06-01 20:44:53 -07:00
Yuri Tatishchev
67e1a6ef2f router: firewall: add entries for wireguard 2025-06-01 20:44:53 -07:00
Yuri Tatishchev
5e19bc16f5 router: wireguard: add wg0 interface with some peers for testing 2025-06-01 20:44:46 -07:00
Yuri Tatishchev
68d49ad45d refactor: support different pc/laptop configs 2025-06-01 19:09:26 -07:00
12 changed files with 121 additions and 11 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -0,0 +1,5 @@
### Nix template
# Ignore build outputs from performing a nix-build or `nix build` command
result
result-*

1
hosts/common-desktop.nix
View File

@@ -114,6 +114,7 @@
ripgrep-all ripgrep-all
rustscan rustscan
whois whois
wireguard-tools
yt-dlp yt-dlp
] ++ [ ] ++ [
bitwarden-desktop bitwarden-desktop

2
hosts/router/default.nix
View File

@@ -8,6 +8,7 @@ in
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./ifconfig.nix ./ifconfig.nix
./wireguard.nix
./firewall.nix ./firewall.nix
./dns.nix ./dns.nix
./kea.nix ./kea.nix
@@ -77,6 +78,7 @@ in
transcrypt transcrypt
waypipe waypipe
whois whois
wireguard-tools
]; ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default

18
hosts/router/firewall.nix
View File

@@ -13,6 +13,7 @@ let
${ifs.lan30.name}, ${ifs.lan30.name},
${ifs.lan40.name}, ${ifs.lan40.name},
${ifs.lan50.name}, ${ifs.lan50.name},
${ifs.wg0.name},
} }
define OPNSENSE_NET6 = ${vars.extra.opnsense.net6} define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
define ZONE_LAN_EXTRA_NET6 = { define ZONE_LAN_EXTRA_NET6 = {
@@ -85,8 +86,10 @@ in
family = "inet"; family = "inet";
content = '' content = ''
${nftIdentifiers} ${nftIdentifiers}
define ALLOWED_TCP_PORTS = { ssh, https } define ALLOWED_TCP_PORTS = { ssh }
define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https } define ALLOWED_UDP_PORTS = { ${toString vars.ifs.wg0.listenPort} }
define ALLOWED_TCP_LAN_PORTS = { ssh, https }
define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
set port_forward_v6 { set port_forward_v6 {
type inet_proto . ipv6_addr . inet_service type inet_proto . ipv6_addr . inet_service
elements = { elements = {
@@ -133,6 +136,10 @@ in
# but apparently not. # but apparently not.
ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
# Global input rules
tcp dport $ALLOWED_TCP_PORTS accept
udp dport $ALLOWED_UDP_PORTS accept
# WAN zone input rules # WAN zone input rules
iifname $ZONE_WAN_IFS jump zone_wan_input iifname $ZONE_WAN_IFS jump zone_wan_input
# LAN zone input rules # LAN zone input rules
@@ -157,8 +164,7 @@ in
} }
chain zone_wan_input { chain zone_wan_input {
# Allow SSH from WAN (if needed) # Allow specific stuff from WAN
tcp dport ssh accept
} }
chain zone_wan_forward { chain zone_wan_forward {
@@ -180,8 +186,8 @@ in
ip protocol icmp accept ip protocol icmp accept
# Allow specific services from LAN # Allow specific services from LAN
tcp dport $ALLOWED_TCP_PORTS accept tcp dport $ALLOWED_TCP_LAN_PORTS accept
udp dport $ALLOWED_UDP_PORTS accept udp dport $ALLOWED_UDP_LAN_PORTS accept
} }
chain zone_lan_forward { chain zone_lan_forward {

2
hosts/router/ifconfig.nix
View File

@@ -83,7 +83,7 @@ in
ia_pd 30/${ifs.lan30.net6} - ia_pd 30/${ifs.lan30.net6} -
ia_pd 40/${ifs.lan40.net6} - ia_pd 40/${ifs.lan40.net6} -
ia_pd 50/${ifs.lan50.net6} - ia_pd 50/${ifs.lan50.net6} -
# ia_pd 7 - ia_pd 100/${pdFromWan}9::/64 - # for vpn stuff
# ia_pd 8 - # ia_pd 8 -
# the leases can be assigned to the interfaces, # the leases can be assigned to the interfaces,

0
secrets/cf_api_key.age → hosts/router/secrets/cf-api-key.age
View File

BIN
hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age Normal file
View File

Binary file not shown.

5
hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A cRVo1AetNYKsb28kGpe6mVpoCyfNcRibeBYhJuXbbEY
k8XL4XEv4FM6sfU/TOFTg4vlKm61409No/TpCEjTnSk
--- mT9w1vnx2FrzWw+Zt1wV6UJ+mjHTizrUPVeaTisYQ74
=<3D>q-So<><6F>pn<70><6E><EFBFBD><EFBFBD><EFBFBD>I<EFBFBD><49><EFBFBD>Z֠i<D6A0>'<27><><EFBFBD>"%M<><06><>C&

5
hosts/router/secrets/wireguard/wg0-private-key.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A Xg7XTl/qJqVqvXsHNKcoICq74DeOlquN1CEn1PwxlVY
FqmPdDgmuUrwZPLW56RhW8o1VXr5l2Xms6IVebpi7bA
--- nLT/bC55EvoXK6f7DYbMhD3I8Z122bxeGVw1PCds2IM
!<><7F><05>Dl<44><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;<3B><>KXq8<71>4<EFBFBD><34><EFBFBD><EFBFBD>+b<><62>p_q4B<34><42>'8<>%<25>cI<63><49>D<EFBFBD>t<> <0C> <05>V~;v*<2A><>W<EFBFBD>-<2D>,[<5B><74>

2
hosts/router/services.nix
View File

@@ -52,7 +52,7 @@ in
}; };
}; };
secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age; secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path; systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
services.caddy = { services.caddy = {
enable = true; enable = true;

20
hosts/router/vars.nix
View File

@@ -5,8 +5,11 @@ let
name_, name_,
domain_, domain_,
p4_, # /24 p4_, # /24
p4Size_ ? 24,
p6_, # /64 p6_, # /64
p6Size_ ? 64,
ulaPrefix_, # /64 ulaPrefix_, # /64
ulaSize_ ? 64,
token? 1, token? 1,
ip6Token_? "::${toString token}", ip6Token_? "::${toString token}",
ulaToken_? "::${toString token}", ulaToken_? "::${toString token}",
@@ -14,18 +17,18 @@ let
name = name_; name = name_;
domain = domain_; domain = domain_;
p4 = p4_; p4 = p4_;
p4Size = 24; p4Size = p4Size_;
net4 = "${p4}.0/${toString p4Size}"; net4 = "${p4}.0/${toString p4Size}";
addr4 = "${p4}.${toString token}"; addr4 = "${p4}.${toString token}";
addr4Sized = "${addr4}/${toString p4Size}"; addr4Sized = "${addr4}/${toString p4Size}";
p6 = p6_; p6 = p6_;
p6Size = 64; p6Size = p6Size_;
net6 = "${p6}::/${toString p6Size}"; net6 = "${p6}::/${toString p6Size}";
ip6Token = ip6Token_; ip6Token = ip6Token_;
addr6 = "${p6}${ip6Token}"; addr6 = "${p6}${ip6Token}";
addr6Sized = "${addr6}/${toString p6Size}"; addr6Sized = "${addr6}/${toString p6Size}";
ulaPrefix = ulaPrefix_; ulaPrefix = ulaPrefix_;
ulaSize = 64; ulaSize = ulaSize_;
ulaNet = "${ulaPrefix}::/${toString ulaSize}"; ulaNet = "${ulaPrefix}::/${toString ulaSize}";
ulaToken = ulaToken_; ulaToken = ulaToken_;
ulaAddr = "${ulaPrefix}${ulaToken}"; ulaAddr = "${ulaPrefix}${ulaToken}";
@@ -97,6 +100,17 @@ rec {
p6_ = "${pdFromWan}a"; # ::/64 p6_ = "${pdFromWan}a"; # ::/64
ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64 ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64
}; };
wg0 = mkIfConfig {
name_ = "wg0";
domain_ = "wg0.${ldomain}";
p4_ = "10.18.16"; # .0/24
p6_ = "${pdFromWan}9:0:6"; # ::/96
p6Size_ = 96;
ulaPrefix_ = "${ulaPrefix}:0100:0:6"; # ::/96
ulaSize_ = 96;
} // {
listenPort = 51944;
};
}; };
extra = { extra = {

72
hosts/router/wireguard.nix Normal file
View File

@@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
let
vars = import ./vars.nix;
wg0 = vars.ifs.wg0;
peerIps = ifObj: token: [
"${ifObj.p4}.${toString token}/32"
"${ifObj.p6}:${toString token}:0/112"
"${ifObj.ulaPrefix}:${toString token}:0/112"
];
mkWg0Peer = token: publicKey: {
allowedIPs = peerIps wg0 token;
inherit publicKey;
pskEnabled = true;
};
wg0Peers = {
"Yura-TPX13" = mkWg0Peer 100 "iFdsPYrpw7vsFYYJB4SOTa+wxxGVcmYp9CPxe0P9ewA=";
"Yura-Pixel7Pro" = mkWg0Peer 101 "GPdXxjvnhsyufd2QX/qsR02dinUtPnnxrE66oGt/KyA=";
};
peerSecretName = name: "wg0-peer-${name}-psk";
secrets = config.secrix.services.systemd-networkd.secrets;
in
{
secrix.services.systemd-networkd.secrets = let
pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
mapPeer = name: peer: {
name = peerSecretName name;
value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
};
peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
allSecrets = {
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
} // peerSecrets;
setSecretOwnership = name: value: value // {
decrypted.user = "systemd-network";
decrypted.group = "systemd-network";
};
in lib.attrsets.mapAttrs setSecretOwnership allSecrets;
systemd.network.netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = wg0.name;
};
wireguardConfig = {
PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
ListenPort = wg0.listenPort;
};
wireguardPeers = map (peer: {
AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
PublicKey = peer.value.publicKey;
PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
}) (lib.attrsToList wg0Peers);
};
};
systemd.network.networks = {
"10-wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
IPv4Forwarding = true;
IPv6SendRA = false;
Address = [ wg0.addr4Sized wg0.addr6Sized wg0.ulaAddrSized ];
};
};
};
}