Fix wireguard

2021-03-27 12:32:40 +03:00 · 2021-03-27 12:32:40 +03:00 · bd0e5a3f5c
commit bd0e5a3f5c
parent 481418fa2d
4 changed files with 111 additions and 20 deletions
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -22,25 +22,36 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  secrets.wireguard-serokell = { };
+  secrets.wireguard-wg0 = { };
-  networking.wireguard.interfaces.serokell = {
+  # networking.wireguard.interfaces.serokell = {
-    listenPort = 51820;
+  #   listenPort = 51820;
-    ips = [
+  #   ips = [
-      "172.20.0.52/32"
+  #     "172.20.0.52/32"
-      # "fd73:7272:ed50::52/128"
+  #     # "fd73:7272:ed50::52/128"
-    ];
+  #   ];
-    privateKeyFile = config.secrets.wireguard-serokell.decrypted;
+  #   privateKeyFile = config.secrets.wireguard-serokell.decrypted;
-    peers = [{
+  #   peers = [{
-      allowedIPs = [
+  #     allowedIPs = [
-        "0.0.0.0/0"
+  #       "0.0.0.0/0"
-        # "::/0"
+  #       # "::/0"
-      ];
+  #     ];
-      # endpoint = "serokell.net:35944";
+  #     # endpoint = "serokell.net:35944";
-      endpoint = "147.75.100.17:35944";
+  #     endpoint = "147.75.100.17:35944";
-      publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
+  #     publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
-      persistentKeepalive = 24;
+  #     persistentKeepalive = 24;
-    }];
+  #   }];
  # };
  services.ezwg = {
    enable = true;
    proxy = true;
    lanSize = 32;
    serverIP = "147.75.100.17";
    serverPort = 35944;
    serverKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
    privateKeyFile = config.secrets.wireguard-wg0.decrypted;
    vlanIP = "172.20.0.52";
  };
  # restart when the service fails to resolve DNS
--- a/modules/default.nix
+++ b/modules/default.nix
@ -16,6 +16,7 @@ builtins.listToAttrs (builtins.map (path: {
  ./applications/yt-utilities.nix
  ./boot.nix
  ./devices.nix
  ./ezwg.nix
  ./hardware.nix
  ./network.nix
  ./nix.nix
@ -25,15 +26,15 @@ builtins.listToAttrs (builtins.map (path: {
  ./secrets.nix
  ./security.nix
  ./servers/gitea.nix
  ./servers/home-assistant.nix
  ./servers/jitsi.nix
  ./servers/mailserver.nix
  ./servers/mastodon.nix
  ./servers/matrix-synapse.nix
  ./servers/minidlna.nix
  ./servers/nextcloud.nix
  ./servers/nginx.nix
  ./servers/vsftpd.nix
  ./servers/home-assistant.nix
  ./servers/mastodon.nix
  ./services.nix
  ./themes.nix
  ./virtualisation.nix
--- a/modules/ezwg.nix
+++ b/modules/ezwg.nix
@ -0,0 +1,78 @@
 # Kudos to https://github.com/notgne2
 { config, lib, pkgs, ... }:
 with lib;
 let cfg = config.services.ezwg;
 in {
  options.services.ezwg = {
    enable = mkEnableOption "Enable simple Wireguard connection";
    proxy = mkOption {
      type = types.bool;
      default = true;
      description = "Route all your traffic through this connection";
    };
    lanSize = mkOption {
      type = types.int;
      default = 24;
      description = "Size of your VLAN (only relevant if proxy is false)";
    };
    serverIP = mkOption {
      type = types.str;
      description = "The IP of the wg server";
    };
    serverPort = mkOption {
      type = types.int;
      default = 51820;
      description = "The port of the wg server";
    };
    serverKey = mkOption {
      type = types.str;
      description = "The public key of the wg server";
    };
    privateKeyFile = mkOption {
      type = types.str;
      description = "Private wg key";
    };
    vlanIP = mkOption {
      type = types.str;
      description = "The IP to use on the wg VLAN";
    };
  };
  config = mkIf cfg.enable {
    networking.firewall.checkReversePath = false;
    networking.wireguard.interfaces.wg0 = let
      generateRangesScript =
        builtins.toFile "exclusionary-wildcard-ranges-generator.py" ''
          import ipaddress
          n1 = ipaddress.ip_network('0.0.0.0/0')
          n2 = ipaddress.ip_network('${cfg.serverIP}/32')
          print(':'.join(list(map(lambda x: str(x), list(n1.address_exclude(n2))))), end="")
        '';
      rangesOutput = pkgs.runCommandNoCC "exclusionary-wildcard-ranges" { } ''
        ${pkgs.python3}/bin/python3 ${generateRangesScript} > $out
      '';
      generateSubnetScript =
        builtins.toFile "subnet-without-host-bits-generator.py" ''
          import ipaddress
          n1 = ipaddress.ip_network('${cfg.vlanIP}/${
            toString cfg.lanSize
          }', False)
          print(n1, end="")
        '';
      subnetOutput = pkgs.runCommandNoCC "subnet-without-host-bits" { } ''
        ${pkgs.python3}/bin/python3 ${generateSubnetScript} > $out
      '';
      ranges = lib.splitString ":" (builtins.readFile "${rangesOutput}");
      subnet = builtins.readFile "${subnetOutput}";
    in {
      ips = [ "${cfg.vlanIP}/${toString cfg.lanSize}" ];
      privateKeyFile = cfg.privateKeyFile;
      peers = [{
        publicKey = cfg.serverKey;
        allowedIPs = if cfg.proxy then ranges else [ subnet ];
        endpoint = "${cfg.serverIP}:${toString cfg.serverPort}";
        persistentKeepalive = 25;
      }];
    };
  };
 }
--- a/profiles/desktop.nix
+++ b/profiles/desktop.nix
@ -3,6 +3,7 @@
    ./base.nix
    applications
    ezwg
    hardware
    power
    services