init

author: Max Audron <audron@cocaine.farm> 2023-08-11 16:51:35 +0200
committer: Max Audron <audron@cocaine.farm> 2023-08-11 16:51:35 +0200
commit: 5828af9fc19e18dc85e49fcc1a251a7eb25d909c (patch)
tree: c70c3e52237c08d3fdcb2f1269c524c25e3feeb8 /modules/wireguard
3 files changed, 202 insertions, 0 deletions
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
new file mode 100644
index 0000000..c9fc063
--- /dev/null
+++ b/modules/wireguard/default.nix
@@ -0,0 +1,67 @@
+{ config, lib, pkgs, nodes, builtins, ... }:
+
+with lib; {
+  imports = [ ./options.nix ./roaming.nix ];
+
+  config = mkIf config.wireguard.enable (let
+    cfg = config.wireguard;
+
+    peers = let
+      attrPeers = mapAttrs (n: node:
+        let peer = node.config.wireguard;
+        in {
+          endpoint =
+            "${node.config.deployment.targetHost}:${toString peer.port}";
+          publicKey = peer.publicKey;
+          persistentKeepalive = 25;
+          allowedIPs = [
+            "${peer.v4.address}/32"
+            "${peer.v6.ula}::${peer.v6.address}/128"
+            "${peer.v6.gua}::${peer.v6.address}/128"
+          ] ++ peer.allowedIPs;
+        }) (filterAttrs (n: node: node.config.wireguard.enable) nodes);
+      peers = attrValues attrPeers;
+    in peers;
+  in {
+    secrets = mkIf config.wireguard.enable {
+      wireguard = {
+        source = ../../secrets
+          + ("/" + "${config.networking.hostName}.privkey");
+        dest = "/root/wireguard/privkey";
+      };
+    };
+
+    networking.wireguard.interfaces = mkIf config.wireguard.enable {
+      wg0 = with { ifname = "wg0"; }; {
+        ips = [
+          "${cfg.v4.address}/${toString cfg.v4.prefixLength}"
+          "${cfg.v6.ula}::${cfg.v6.address}/128"
+          "${cfg.v6.gua}::${cfg.v6.address}/128"
+        ];
+        listenPort = cfg.port;
+        postSetup = ''
+          ${pkgs.nftables}/bin/nft add table ${ifname}
+          ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }'
+          ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }'
+          ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${
+            toString cfg.v4.prefixLength
+          } oif ${cfg.natInterface} masquerade
+
+          ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on
+        '';
+        postShutdown = ''
+          ${pkgs.nftables}/bin/nft flush table ${ifname}
+          ${pkgs.nftables}/bin/nft delete table ${ifname}
+        '';
+        privateKeyFile = "/root/wireguard/privkey";
+        peers = peers;
+      };
+    };
+
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = lib.mkDefault true;
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.netfilter.nf_conntrack_tcp_be_liberal" = true;
+    };
+  });
+}
diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix
new file mode 100644
index 0000000..903716e
--- /dev/null
+++ b/modules/wireguard/options.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, nodes, builtins, ... }:
+
+with lib; {
+  options = {
+    wireguard = {
+      enable = mkOption {
+        type = types.bool;
+        description = "Enable wireguard";
+      };
+      roaming = mkOption {
+        type = types.bool;
+        description = "Deploy roaming peers to this host";
+        default = false;
+      };
+      port = mkOption {
+        type = types.int;
+        description = "Port of the wireguard interface (51820)";
+        default = 51820;
+      };
+      publicKey = mkOption {
+        type = types.str;
+        description = "Public key of the wireguard interface";
+      };
+      natInterface = mkOption {
+        type = types.str;
+        description = "Interface to use for outgoing NAT connections";
+        default = "eth0";
+      };
+      v4 = {
+        address = mkOption {
+          type = types.str;
+          description = "IP of the wireguard interface (10.10.0.1)";
+        };
+        network = mkOption {
+          type = types.str;
+          description = "The Network CIDR of the wireguard network (10.10.0.0)";
+        };
+        prefixLength = mkOption {
+          type = types.int;
+          description = "Prefix Length of the wireguard interface IP (24)";
+          default = 24;
+        };
+      };
+      v6 = {
+        address = mkOption {
+          type = types.str;
+          description = "IP of the wireguard interface ()";
+        };
+        prefixLength = mkOption {
+          type = types.int;
+          description = "Prefix Length of the wireguard interface IP (24)";
+          default = 64;
+        };
+        ula = mkOption {
+          type = types.str;
+          description = "Unique Local Alloctation for IPv6 net";
+        };
+        gua = mkOption {
+          type = types.str;
+          description =
+            "Global Unique Allocation for IPv6 net, used as base for hosts";
+        };
+      };
+      allowedIPs = mkOption {
+        type = types.listOf types.str;
+        description = "Extra allowedIPs";
+        default = [ ];
+      };
+    };
+  };
+}
diff --git a/modules/wireguard/roaming.nix b/modules/wireguard/roaming.nix
new file mode 100644
index 0000000..a89ce5d
--- /dev/null
+++ b/modules/wireguard/roaming.nix
@@ -0,0 +1,64 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = lib.mkIf config.wireguard.enable {
+    networking.wireguard.interfaces.wg0.peers = lib.mkIf config.wireguard.roaming [
+      { # audron computer
+        publicKey = "okZQ5cMSu4+M3IKp1yIBuknmAKEzJLKe8tpVeY46phU=";
+        allowedIPs = [
+          "10.10.0.10/32"
+          "2a0f:9400:8020:beef::10/128"
+          "fd15:3d8c:d429:beef::10/128"
+        ];
+      }
+      { # audron homeassistant
+        publicKey = "afIZuhegBlyTmmzjikqtJ6lqYF2clfxtE4ZzQ9oijCg=";
+        allowedIPs = [
+          "10.10.0.14/32"
+          "2a0f:9400:8020:beef::14/128"
+          "fd15:3d8c:d429:beef::14/128"
+        ];
+      }
+      { # audron phone
+        publicKey = "LDzzGWlBmy9FQ/+bNAaLM2TmS8OR291uVTntwmb/gmM=";
+        allowedIPs = [
+          "10.10.0.15/32"
+          "2a0f:9400:8020:beef::15/128"
+          "fd15:3d8c:d429:beef::15/128"
+        ];
+      }
+      { # d3fus computer
+        publicKey = "CoMGgzL31yb0ozA17OuF0IDpkV2dnJ7j74itaQb0k1U=";
+        allowedIPs = [
+          "10.10.0.20/32"
+          "2a0f:9400:8020:beef::20/128"
+          "fd15:3d8c:d429:beef::20/128"
+        ];
+      }
+      { # d3fus streamer
+        publicKey = "byHXbaIVKARj3RBqyRuEUAsU5qeh/bmp/OLn6Y9qJV8=";
+        allowedIPs = [
+          "10.10.0.21/32"
+          "2a0f:9400:8020:beef::21/128"
+          "fd15:3d8c:d429:beef::21/128"
+        ];
+      }
+      { # d3fus phone
+        publicKey = "OEi+MTdy8oMWhkyC5NKHl6ztk92o4gYkgCTt5EMN5i4=";
+        allowedIPs = [
+          "10.10.0.22/32"
+          "2a0f:9400:8020:beef::22/128"
+          "fd15:3d8c:d429:beef::22/128"
+        ];
+      }
+      { # d3fus mac
+        publicKey = "dWWragU6AwsJeX6EhtybtT1VmjPdaSDKqmU/yxZQuxo=";
+        allowedIPs = [
+          "10.10.0.23/32"
+          "2a0f:9400:8020:beef::23/128"
+          "fd15:3d8c:d429:beef::23/128"
+        ];
+      }
+    ];
+  };
+}
author	Max Audron <audron@cocaine.farm>	2023-08-11 16:51:35 +0200
committer	Max Audron <audron@cocaine.farm>	2023-08-11 16:51:35 +0200
commit	5828af9fc19e18dc85e49fcc1a251a7eb25d909c (patch)
tree	c70c3e52237c08d3fdcb2f1269c524c25e3feeb8 /modules/wireguard