maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

Disable legacy wireguard tunnel

Browse source
This commit is contained in:
Malte 2023-04-24 18:38:42 +02:00
parent 7721e1333a
commit 8c23908235
7 changed files with 93 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
common/default.nix
View file

@ -84,26 +84,12 @@ with lib; {
default = let
p = config.m-0.prefix;
hera-p = "${p}::3";
wg-p = "${p}::100";
v4-p = "10.0.0";
in {
hera = "${p}::1";
vpn = rec {
prefix = "fdc0:7";
hera = "${prefix}::1";
fluffy = "${prefix}::2";
apollo = "${prefix}::5";
zeus = "${prefix}::4";
pegasus = "${prefix}::6";
};
hera-wg-host = "${p}::100:0:1";
hera-v4 = "213.136.94.190";
hera-wg = "${wg-p}:1";
apollo-wg = "${wg-p}:2";
zeus-wg = "${wg-p}:3";
hera-intern = "${hera-p}:1";
chor-cloud = "${hera-p}:b";

38
nixos/machines/apollo/configuration.nix
View file

@ -40,25 +40,25 @@ in {
hostName = "apollo";
domain = "m-0.eu";
networkmanager.enable = true;
wireguard.interfaces = {
m0wire = {
allowedIPsAsRoutes = false;
ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
peers = [
{
publicKey = wireguard.pub.hera;
allowedIPs = ["::/0"];
# endpoint =
# "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25;
}
];
postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
};
};
#wireguard.interfaces = {
# m0wire = {
# allowedIPsAsRoutes = false;
# ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
# privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
# peers = [
# {
# publicKey = wireguard.pub.hera;
# allowedIPs = ["::/0"];
# # endpoint =
# # "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
# endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# persistentKeepalive = 25;
# }
# ];
# postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
# };
#};
};
services = {

41
nixos/machines/fluffy/configuration.nix
View file

@ -83,9 +83,16 @@ in {
hostName = "fluffy";
domain = "lo.m-0.eu";
firewall = {
allowedUDPPorts = [631];
allowedTCPPorts = [21 80 631];
allowedUDPPorts = [
631 # cups
];
allowedTCPPorts = [
21 # ftp for scanner
80 # http
631 # cups
];
allowedTCPPortRanges = [
# also ftp
{
from = 51000;
to = 51999;
@ -101,21 +108,21 @@ in {
];
useDHCP = true;
};
wireguard.interfaces = {
m0wire = {
ips = ["${hosts.vpn.fluffy}/64"];
privateKeyFile = "/disk/persist/wireguard-private-key";
peers = [
{
publicKey = wireguard.pub.hera;
allowedIPs = ["${hosts.vpn.prefix}::/64"];
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25;
}
];
};
};
#wireguard.interfaces = {
# m0wire = {
# ips = ["${hosts.vpn.fluffy}/64"];
# privateKeyFile = "/disk/persist/wireguard-private-key";
# peers = [
# {
# publicKey = wireguard.pub.hera;
# allowedIPs = ["${hosts.vpn.prefix}::/64"];
# endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# persistentKeepalive = 25;
# }
# ];
# };
#};
};
programs = {
ssh = {

2
nixos/machines/hera/mail.nix
View file

@ -73,7 +73,7 @@ in {
};
};
postfix = {
networks = ["[::1]/128" "127.0.0.1/32" "[${config.m-0.prefix}::]/64" "[${hosts.vpn.prefix}::]/64" "10.0.0.0/24"];
networks = ["[::1]/128" "127.0.0.1/32" "[${config.m-0.prefix}::]/64" "10.0.0.0/24"];
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
config = {
# Allow TLSv1 because we need to be able to receive mail from legacy servers.

67
nixos/machines/hera/network.nix
View file

@ -1,10 +1,9 @@
{
pkgs,
config,
lib,
...
}: let
wireguard = import ../../../common/wireguard.nix;
#wireguard = import ../../../common/wireguard.nix;
inherit (config.m-0) hosts;
in {
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@ -24,10 +23,6 @@ in {
address = hosts.hera;
prefixLength = 128;
}
{
address = hosts.hera-wg-host;
prefixLength = 128;
}
];
};
defaultGateway = "213.136.94.1";
@ -59,36 +54,36 @@ in {
};
nameservers = ["213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53"];
firewall.allowedTCPPorts = [8666];
firewall.allowedUDPPorts = [wireguard.port];
wireguard.interfaces = {
m0wire = {
ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
privateKeyFile = config.age.secrets."wireguard/hera-private".path;
listenPort = wireguard.port;
peers = [
{
publicKey = wireguard.pub.zeus;
allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
presharedKeyFile = config.age.secrets."wireguard/psk".path;
}
{
publicKey = wireguard.pub.apollo;
allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
presharedKeyFile = config.age.secrets."wireguard/psk".path;
}
{
publicKey = wireguard.pub.fluffy;
allowedIPs = ["${hosts.vpn.fluffy}/128"];
presharedKeyFile = config.age.secrets."wireguard/psk".path;
}
{
publicKey = wireguard.pub.pegasus;
allowedIPs = ["${hosts.vpn.pegasus}/128"];
presharedKeyFile = config.age.secrets."wireguard/psk".path;
}
];
};
};
#firewall.allowedUDPPorts = [wireguard.port];
#wireguard.interfaces = {
# m0wire = {
# ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
# privateKeyFile = config.age.secrets."wireguard/hera-private".path;
# listenPort = wireguard.port;
# peers = [
# {
# publicKey = wireguard.pub.zeus;
# allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# }
# {
# publicKey = wireguard.pub.apollo;
# allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# }
# {
# publicKey = wireguard.pub.fluffy;
# allowedIPs = ["${hosts.vpn.fluffy}/128"];
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# }
# {
# publicKey = wireguard.pub.pegasus;
# allowedIPs = ["${hosts.vpn.pegasus}/128"];
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# }
# ];
# };
#};
};
services.ndppd = {

34
nixos/machines/zeus/configuration.nix
View file

@ -133,23 +133,23 @@ in {
firewall.allowedUDPPorts = [
34197 # factorio
];
wireguard.interfaces = {
m0wire = {
allowedIPsAsRoutes = false;
ips = ["${hosts.zeus-wg}/112" "${hosts.vpn.zeus}/64"];
privateKeyFile = config.age.secrets."wireguard/zeus-private".path;
peers = [
{
publicKey = wireguard.pub.hera;
allowedIPs = ["::/0"];
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25;
}
];
postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
};
};
#wireguard.interfaces = {
# m0wire = {
# allowedIPsAsRoutes = false;
# ips = ["${hosts.zeus-wg}/112" "${hosts.vpn.zeus}/64"];
# privateKeyFile = config.age.secrets."wireguard/zeus-private".path;
# peers = [
# {
# publicKey = wireguard.pub.hera;
# allowedIPs = ["::/0"];
# endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
# persistentKeepalive = 25;
# }
# ];
# postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
# };
#};
};
services = {
snapper = {

2
nixos/roles/vpn.nix
View file

@ -8,9 +8,9 @@
networking = {
firewall = {
extraInputRules = ''
meta iifname m0wire accept comment "wireguard vpn"
meta iifname tailscale0 accept comment "headscale vpn"
'';
# meta iifname m0wire accept comment "wireguard vpn"
checkReversePath = "loose";
allowedUDPPorts = [config.services.tailscale.port];
};