hosts/VEGAS: replace OpenVPN with WireGuard

This commit is contained in:
Max Headroom 2022-04-28 23:47:23 +02:00
parent fd7ae38e66
commit 3268921a92
5 changed files with 47 additions and 75 deletions

View file

@ -1,73 +0,0 @@
{ config, hosts, lib, pkgs, tools, ... }:
let
inherit (hosts.${config.networking.hostName}) interfaces;
inherit (interfaces) vstub;
inherit (config.networking) hostName;
sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
port 51194
float
mssfix 1340
topology subnet
client-to-client
persist-key
persist-tun
# vpn supernet
push "route 10.100.0.0 255.255.0.0"
# internal services supernet
push "route 10.10.0.0 255.255.0.0"
# host machine virtual stub
push "route ${vstub.addr} 255.255.255.255"
# dns config
push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
push "dhcp-option DNS ${vstub.addr}"
ca ${../../../../data/vpn-ca-bundle.crt}
cert ${../../../../data + "/vpn-host-${hostName}.crt"}
key ${config.age.secrets.vpn-host-key.path}
dh ${config.security.dhparams.params.vpn.path}
'';
in
{
age.secrets.vpn-host-key = {
file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
mode = "0400";
};
security.dhparams.params.vpn.bits = 4096;
networking.firewall = {
allowedTCPPorts = [ 51194 ];
allowedUDPPorts = [ 51194 ];
};
networking.nat.internalInterfaces = [
"tun-storm"
"tun-cyclone"
];
services.openvpn.servers = {
storm = {
autoStart = true;
config = ''
proto udp4
dev tun-storm
server 10.100.0.0 255.255.255.0
config ${sharedConfig}
'';
};
cyclone = {
autoStart = true;
config = ''
proto tcp4
dev tun-cyclone
server 10.100.1.0 255.255.255.0
config ${sharedConfig}
'';
};
};
systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
wants = [ "dhparams-gen-vpn.service" ];
after = [ "dhparams-gen-vpn.service" ];
});
}

View file

@ -0,0 +1,45 @@
{ config, hosts, ... }:
let
inherit (config.networking) hostName;
vpnNet = "10.100.0.0/24";
in
{
age.secrets.wireguard-key-storm = {
file = ../../../../secrets + "/wireguard-key-storm-${hostName}.age";
mode = "0400";
};
networking = {
firewall = {
allowedUDPPorts = [ 51194 ];
};
nat.internalIPs = [
vpnNet
];
wireguard = {
enable = true;
interfaces.wgstorm = {
ips = [ "10.100.0.1/24" ];
listenPort = 51194;
privateKeyFile = config.age.secrets.wireguard-key-storm.path;
peers = [
{
publicKey = "1JzRMYmCDT9wqPT81u7VRF0KntThTGOsnSmYd0jovhQ=";
allowedIPs = [ "10.100.0.4/32" ];
}
{
publicKey = "7Bx5Agg2fHio2G3+ksI3osWkXBg5nP1bi06LjPafYG8=";
allowedIPs = [ "10.100.0.13/32" ];
}
{
publicKey = "GMVlOpvtIAmopM8W2bC6CzaK41/p3qLgq+/IgAjT8HY=";
allowedIPs = [ "10.100.0.7/32" ];
}
];
};
};
};
}

View file

@ -34,13 +34,13 @@
./services/nix/binary-cache.nix ./services/nix/binary-cache.nix
./services/nix/nar-serve.nix ./services/nix/nar-serve.nix
./services/object-storage ./services/object-storage
./services/openvpn
./services/sips ./services/sips
./services/sso ./services/sso
./services/uptime-kuma ./services/uptime-kuma
./services/vault ./services/vault
./services/warehouse ./services/warehouse
./services/websites ./services/websites
./services/wireguard-server
aspect.modules.hercules-ci-agent aspect.modules.hercules-ci-agent
aspect.modules.hyprspace aspect.modules.hyprspace
] ]

View file

@ -39,6 +39,6 @@ in with hosts;
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "wireguard-key-storm-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
} }

Binary file not shown.