From 3268921a92caedf79162938ff4e30a184342d614 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 28 Apr 2022 23:47:23 +0200 Subject: [PATCH] hosts/VEGAS: replace OpenVPN with WireGuard --- hosts/VEGAS/services/openvpn/default.nix | 73 ------------------ .../services/wireguard-server/default.nix | 45 +++++++++++ hosts/VEGAS/system.nix | 2 +- secrets/secrets.nix | 2 +- secrets/wireguard-key-storm-VEGAS.age | Bin 0 -> 647 bytes 5 files changed, 47 insertions(+), 75 deletions(-) delete mode 100644 hosts/VEGAS/services/openvpn/default.nix create mode 100644 hosts/VEGAS/services/wireguard-server/default.nix create mode 100644 secrets/wireguard-key-storm-VEGAS.age diff --git a/hosts/VEGAS/services/openvpn/default.nix b/hosts/VEGAS/services/openvpn/default.nix deleted file mode 100644 index 493878d..0000000 --- a/hosts/VEGAS/services/openvpn/default.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, hosts, lib, pkgs, tools, ... }: -let - inherit (hosts.${config.networking.hostName}) interfaces; - inherit (interfaces) vstub; - inherit (config.networking) hostName; - - sharedConfig = pkgs.writeText "openvpn-shared.conf" '' - port 51194 - float - mssfix 1340 - - topology subnet - client-to-client - persist-key - persist-tun - - # vpn supernet - push "route 10.100.0.0 255.255.0.0" - # internal services supernet - push "route 10.10.0.0 255.255.0.0" - # host machine virtual stub - push "route ${vstub.addr} 255.255.255.255" - - # dns config - push "dhcp-option DOMAIN vpn.${tools.meta.domain}" - push "dhcp-option DNS ${vstub.addr}" - - ca ${../../../../data/vpn-ca-bundle.crt} - cert ${../../../../data + "/vpn-host-${hostName}.crt"} - key ${config.age.secrets.vpn-host-key.path} - dh ${config.security.dhparams.params.vpn.path} - ''; -in -{ - age.secrets.vpn-host-key = { - file = ../../../../secrets + "/vpn-host-key-${hostName}.age"; - mode = "0400"; - }; - security.dhparams.params.vpn.bits = 4096; - networking.firewall = { - allowedTCPPorts = [ 51194 ]; - allowedUDPPorts = [ 51194 ]; - }; - networking.nat.internalInterfaces = [ - "tun-storm" - "tun-cyclone" - ]; - - services.openvpn.servers = { - storm = { - autoStart = true; - config = '' - proto udp4 - dev tun-storm - server 10.100.0.0 255.255.255.0 - config ${sharedConfig} - ''; - }; - cyclone = { - autoStart = true; - config = '' - proto tcp4 - dev tun-cyclone - server 10.100.1.0 255.255.255.0 - config ${sharedConfig} - ''; - }; - }; - systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: { - wants = [ "dhparams-gen-vpn.service" ]; - after = [ "dhparams-gen-vpn.service" ]; - }); -} diff --git a/hosts/VEGAS/services/wireguard-server/default.nix b/hosts/VEGAS/services/wireguard-server/default.nix new file mode 100644 index 0000000..accf48d --- /dev/null +++ b/hosts/VEGAS/services/wireguard-server/default.nix @@ -0,0 +1,45 @@ +{ config, hosts, ... }: +let + inherit (config.networking) hostName; + + vpnNet = "10.100.0.0/24"; +in +{ + age.secrets.wireguard-key-storm = { + file = ../../../../secrets + "/wireguard-key-storm-${hostName}.age"; + mode = "0400"; + }; + + networking = { + firewall = { + allowedUDPPorts = [ 51194 ]; + }; + + nat.internalIPs = [ + vpnNet + ]; + + wireguard = { + enable = true; + interfaces.wgstorm = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51194; + privateKeyFile = config.age.secrets.wireguard-key-storm.path; + peers = [ + { + publicKey = "1JzRMYmCDT9wqPT81u7VRF0KntThTGOsnSmYd0jovhQ="; + allowedIPs = [ "10.100.0.4/32" ]; + } + { + publicKey = "7Bx5Agg2fHio2G3+ksI3osWkXBg5nP1bi06LjPafYG8="; + allowedIPs = [ "10.100.0.13/32" ]; + } + { + publicKey = "GMVlOpvtIAmopM8W2bC6CzaK41/p3qLgq+/IgAjT8HY="; + allowedIPs = [ "10.100.0.7/32" ]; + } + ]; + }; + }; + }; +} diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 9f4456a..7b911a0 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -34,13 +34,13 @@ ./services/nix/binary-cache.nix ./services/nix/nar-serve.nix ./services/object-storage - ./services/openvpn ./services/sips ./services/sso ./services/uptime-kuma ./services/vault ./services/warehouse ./services/websites + ./services/wireguard-server aspect.modules.hercules-ci-agent aspect.modules.hyprspace ] diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a79e553..b7b8220 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -39,6 +39,6 @@ in with hosts; "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "wireguard-key-storm-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; } diff --git a/secrets/wireguard-key-storm-VEGAS.age b/secrets/wireguard-key-storm-VEGAS.age new file mode 100644 index 0000000000000000000000000000000000000000..8aa209bfaf46ae9bccf33e48616abe6b491e6175 GIT binary patch literal 647 zcmZ9_JCBoa003}f;vkcw=3->+P72U2AUpj1yDs|BD0X*l)zK8jH@A_g zTX^d#(`JI)ccwVrCwSZloLuPFhk0A08x>xx6m-M`%c$~}ti_5oBe*!oIJq~?bcBRW zYTnWt?o7hnVlW$*qAd;hy`;{Kaf59^Bbl0t0uvzFepe(n(^aKs`(ZkeS~QS#1i>&2 z)ib+rOGlFFjUzNiqoxAdjc5%GgS9AD=H^Vz8R-_`vI25?Qr^Du_R*VPy!^#Fc=^Zn zu08v9^l^Ck#)GTRD;GZfjo%+0o<)+kO0V0*{}3-3lkwgNvVEy_23g$Bpklxb2g( N?9zv=v$Gek{{hVY+#&z~ literal 0 HcmV?d00001