From d300b876f9b856d33cdd713191d4a3886bd3ffbe Mon Sep 17 00:00:00 2001 From: catvayor Date: Wed, 2 Oct 2024 16:11:49 +0200 Subject: [PATCH] non-netbird wireguard for watcher-manah link --- domain-proxies.nix | 2 +- kat/default.nix | 9 +++- machines/kat-manah/default.nix | 51 ++++++++++++++++++++- machines/kat-watcher/default.nix | 78 ++++++++++++++++++++++++-------- 4 files changed, 119 insertions(+), 21 deletions(-) diff --git a/domain-proxies.nix b/domain-proxies.nix index 0849657..a2db690 100644 --- a/domain-proxies.nix +++ b/domain-proxies.nix @@ -4,7 +4,7 @@ host = "kat-watcher"; hypervisors."manah.katvayor.net" = { host = "kat-manah"; - ip = "100.102.49.84"; + ip = "10.42.0.1"; port-forward = [ 9000 9500 ]; vms = { "degette.katvayor.net" = { diff --git a/kat/default.nix b/kat/default.nix index 348752a..6b3292c 100644 --- a/kat/default.nix +++ b/kat/default.nix @@ -11,6 +11,9 @@ with lib; ./root.nix ]; options.kat = { + wireguardPubKey = mkOption { + type = types.str; + }; path = mkOption { readOnly = true; type = types.path; @@ -33,7 +36,11 @@ with lib; }; }; boot.tmp.useTmpfs = true; - networking.nftables.enable = true; + networking = { + useNetworkd = true; + nftables.enable = true; + }; + systemd.network.enable = true; nix = { nixPath = [ "nixpkgs=${builtins.storePath pkgs.path}" diff --git a/machines/kat-manah/default.nix b/machines/kat-manah/default.nix index f7db8d6..2ac6d0e 100644 --- a/machines/kat-manah/default.nix +++ b/machines/kat-manah/default.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + nodes, ... }: @@ -16,6 +17,50 @@ boot.supportedFilesystems = [ "bcachefs" ]; boot.kernelPackages = pkgs.linuxPackages_latest; + kat.wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM="; + systemd.network = { + enable = true; + networks = { + "50-wg0" = { + name = "wg0"; + addresses = [ + { + Address = "10.42.0.1/16"; + AddPrefixRoute = false; + } + ]; + routes = [ + { + Destination = "10.42.0.0/16"; + Source = "10.42.0.1"; + } + ]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = "/etc/wg/private.key"; + }; + + wireguardPeers = [ + { + Endpoint = "watcher.katvayor.net:1194"; + AllowedIPs = [ + "10.42.0.2/32" + ]; + PersistentKeepalive = 20; + PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; + } + ]; + }; + }; + }; + time.timeZone = "Europe/Paris"; i18n.defaultLocale = "en_US.UTF-8"; @@ -73,7 +118,11 @@ }; networking.firewall = { - allowedTCPPorts = [ 9000 9500 53 ]; + allowedTCPPorts = [ + 9000 + 9500 + 53 + ]; allowedUDPPorts = [ 67 ]; }; system.stateVersion = "23.11"; diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix index 0112b52..8247948 100644 --- a/machines/kat-watcher/default.nix +++ b/machines/kat-watcher/default.nix @@ -2,9 +2,9 @@ config, lib, pkgs, + nodes, ... }: - { imports = [ ./hardware-configuration.nix @@ -27,24 +27,63 @@ useNetworkd = true; useDHCP = false; }; + kat.wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg="; systemd.network = { enable = true; - networks."10-ens3" = { - name = "ens3"; - address = [ - "51.83.69.54/32" - "2001:41d0:305:2100::5c52/56" - ]; - routes = [ - { Destination = "51.83.68.1/32"; } - { - Destination = "213.186.33.99/32"; - Gateway = "51.83.68.1"; - } - { Gateway = "51.83.68.1"; } - { Gateway = "2001:41d0:305:2100::1"; } - ]; - dns = [ "213.186.33.99" ]; + networks = { + "10-ens3" = { + name = "ens3"; + address = [ + "51.83.69.54/32" + "2001:41d0:305:2100::5c52/56" + ]; + routes = [ + { Destination = "51.83.68.1/32"; } + { + Destination = "213.186.33.99/32"; + Gateway = "51.83.68.1"; + } + { Gateway = "51.83.68.1"; } + { Gateway = "2001:41d0:305:2100::1"; } + ]; + dns = [ "213.186.33.99" ]; + }; + "50-wg0" = { + name = "wg0"; + addresses = [ + { + Address = "10.42.0.2/16"; + AddPrefixRoute = false; + } + ]; + routes = [ + { + Destination = "10.42.0.0/16"; + Source = "10.42.0.2"; + } + ]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = "/etc/wg/private.key"; + }; + + wireguardPeers = [ + { + AllowedIPs = [ + "10.42.0.1/32" + ]; + PublicKey = nodes.kat-manah.config.kat.wireguardPubKey; + } + ]; + }; }; }; @@ -89,7 +128,10 @@ services.netbird.enable = true; networking = { nftables.enable = true; - firewall.allowedTCPPorts = [ 22 ]; + firewall = { + allowedTCPPorts = [ 22 ]; + allowedUDPPorts = [ 1194 ]; + }; }; system.stateVersion = "23.11";