hosts/VEGAS: replace OpenVPN with WireGuard
This commit is contained in:
parent
fd7ae38e66
commit
3268921a92
5 changed files with 47 additions and 75 deletions
|
|
@ -1,73 +0,0 @@
|
||||||
{ config, hosts, lib, pkgs, tools, ... }:
|
|
||||||
let
|
|
||||||
inherit (hosts.${config.networking.hostName}) interfaces;
|
|
||||||
inherit (interfaces) vstub;
|
|
||||||
inherit (config.networking) hostName;
|
|
||||||
|
|
||||||
sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
|
|
||||||
port 51194
|
|
||||||
float
|
|
||||||
mssfix 1340
|
|
||||||
|
|
||||||
topology subnet
|
|
||||||
client-to-client
|
|
||||||
persist-key
|
|
||||||
persist-tun
|
|
||||||
|
|
||||||
# vpn supernet
|
|
||||||
push "route 10.100.0.0 255.255.0.0"
|
|
||||||
# internal services supernet
|
|
||||||
push "route 10.10.0.0 255.255.0.0"
|
|
||||||
# host machine virtual stub
|
|
||||||
push "route ${vstub.addr} 255.255.255.255"
|
|
||||||
|
|
||||||
# dns config
|
|
||||||
push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
|
|
||||||
push "dhcp-option DNS ${vstub.addr}"
|
|
||||||
|
|
||||||
ca ${../../../../data/vpn-ca-bundle.crt}
|
|
||||||
cert ${../../../../data + "/vpn-host-${hostName}.crt"}
|
|
||||||
key ${config.age.secrets.vpn-host-key.path}
|
|
||||||
dh ${config.security.dhparams.params.vpn.path}
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
age.secrets.vpn-host-key = {
|
|
||||||
file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
security.dhparams.params.vpn.bits = 4096;
|
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = [ 51194 ];
|
|
||||||
allowedUDPPorts = [ 51194 ];
|
|
||||||
};
|
|
||||||
networking.nat.internalInterfaces = [
|
|
||||||
"tun-storm"
|
|
||||||
"tun-cyclone"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.openvpn.servers = {
|
|
||||||
storm = {
|
|
||||||
autoStart = true;
|
|
||||||
config = ''
|
|
||||||
proto udp4
|
|
||||||
dev tun-storm
|
|
||||||
server 10.100.0.0 255.255.255.0
|
|
||||||
config ${sharedConfig}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
cyclone = {
|
|
||||||
autoStart = true;
|
|
||||||
config = ''
|
|
||||||
proto tcp4
|
|
||||||
dev tun-cyclone
|
|
||||||
server 10.100.1.0 255.255.255.0
|
|
||||||
config ${sharedConfig}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
|
|
||||||
wants = [ "dhparams-gen-vpn.service" ];
|
|
||||||
after = [ "dhparams-gen-vpn.service" ];
|
|
||||||
});
|
|
||||||
}
|
|
||||||
45
hosts/VEGAS/services/wireguard-server/default.nix
Normal file
45
hosts/VEGAS/services/wireguard-server/default.nix
Normal file
|
|
@ -0,0 +1,45 @@
|
||||||
|
{ config, hosts, ... }:
|
||||||
|
let
|
||||||
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
|
vpnNet = "10.100.0.0/24";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
age.secrets.wireguard-key-storm = {
|
||||||
|
file = ../../../../secrets + "/wireguard-key-storm-${hostName}.age";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
allowedUDPPorts = [ 51194 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nat.internalIPs = [
|
||||||
|
vpnNet
|
||||||
|
];
|
||||||
|
|
||||||
|
wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces.wgstorm = {
|
||||||
|
ips = [ "10.100.0.1/24" ];
|
||||||
|
listenPort = 51194;
|
||||||
|
privateKeyFile = config.age.secrets.wireguard-key-storm.path;
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "1JzRMYmCDT9wqPT81u7VRF0KntThTGOsnSmYd0jovhQ=";
|
||||||
|
allowedIPs = [ "10.100.0.4/32" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
publicKey = "7Bx5Agg2fHio2G3+ksI3osWkXBg5nP1bi06LjPafYG8=";
|
||||||
|
allowedIPs = [ "10.100.0.13/32" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
publicKey = "GMVlOpvtIAmopM8W2bC6CzaK41/p3qLgq+/IgAjT8HY=";
|
||||||
|
allowedIPs = [ "10.100.0.7/32" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -34,13 +34,13 @@
|
||||||
./services/nix/binary-cache.nix
|
./services/nix/binary-cache.nix
|
||||||
./services/nix/nar-serve.nix
|
./services/nix/nar-serve.nix
|
||||||
./services/object-storage
|
./services/object-storage
|
||||||
./services/openvpn
|
|
||||||
./services/sips
|
./services/sips
|
||||||
./services/sso
|
./services/sso
|
||||||
./services/uptime-kuma
|
./services/uptime-kuma
|
||||||
./services/vault
|
./services/vault
|
||||||
./services/warehouse
|
./services/warehouse
|
||||||
./services/websites
|
./services/websites
|
||||||
|
./services/wireguard-server
|
||||||
aspect.modules.hercules-ci-agent
|
aspect.modules.hercules-ci-agent
|
||||||
aspect.modules.hyprspace
|
aspect.modules.hyprspace
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,6 @@ in with hosts;
|
||||||
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"wireguard-key-storm-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
BIN
secrets/wireguard-key-storm-VEGAS.age
Normal file
BIN
secrets/wireguard-key-storm-VEGAS.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue