Fix wireguard

2021-03-27 12:32:40 +03:00 · 2021-03-27 12:32:40 +03:00 · bd0e5a3f5c
commit bd0e5a3f5c
parent 481418fa2d
4 changed files with 111 additions and 20 deletions
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -22,25 +22,36 @@
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];


-  secrets.wireguard-serokell = { };
+  secrets.wireguard-wg0 = { };

-  networking.wireguard.interfaces.serokell = {
-    listenPort = 51820;
-    ips = [
-      "172.20.0.52/32"
-      # "fd73:7272:ed50::52/128"
-    ];
-    privateKeyFile = config.secrets.wireguard-serokell.decrypted;
-    peers = [{
-      allowedIPs = [
-        "0.0.0.0/0"
-        # "::/0"
-      ];
-      # endpoint = "serokell.net:35944";
-      endpoint = "147.75.100.17:35944";
-      publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
-      persistentKeepalive = 24;
-    }];
+  # networking.wireguard.interfaces.serokell = {
+  #   listenPort = 51820;
+  #   ips = [
+  #     "172.20.0.52/32"
+  #     # "fd73:7272:ed50::52/128"
+  #   ];
+  #   privateKeyFile = config.secrets.wireguard-serokell.decrypted;
+  #   peers = [{
+  #     allowedIPs = [
+  #       "0.0.0.0/0"
+  #       # "::/0"
+  #     ];
+  #     # endpoint = "serokell.net:35944";
+  #     endpoint = "147.75.100.17:35944";
+  #     publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
+  #     persistentKeepalive = 24;
+  #   }];
+  # };
+
+  services.ezwg = {
+    enable = true;
+    proxy = true;
+    lanSize = 32;
+    serverIP = "147.75.100.17";
+    serverPort = 35944;
+    serverKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
+    privateKeyFile = config.secrets.wireguard-wg0.decrypted;
+    vlanIP = "172.20.0.52";
  };

  # restart when the service fails to resolve DNS
--- a/modules/default.nix
+++ b/modules/default.nix
@ -16,6 +16,7 @@ builtins.listToAttrs (builtins.map (path: {
  ./applications/yt-utilities.nix
  ./boot.nix
  ./devices.nix
+  ./ezwg.nix
  ./hardware.nix
  ./network.nix
  ./nix.nix
@ -25,15 +26,15 @@ builtins.listToAttrs (builtins.map (path: {
  ./secrets.nix
  ./security.nix
  ./servers/gitea.nix
+  ./servers/home-assistant.nix
  ./servers/jitsi.nix
  ./servers/mailserver.nix
+  ./servers/mastodon.nix
  ./servers/matrix-synapse.nix
  ./servers/minidlna.nix
  ./servers/nextcloud.nix
  ./servers/nginx.nix
  ./servers/vsftpd.nix
-  ./servers/home-assistant.nix
-  ./servers/mastodon.nix
  ./services.nix
  ./themes.nix
  ./virtualisation.nix
--- a/modules/ezwg.nix
+++ b/modules/ezwg.nix
@ -0,0 +1,78 @@
+# Kudos to https://github.com/notgne2
+
+{ config, lib, pkgs, ... }:
+with lib;
+let cfg = config.services.ezwg;
+in {
+  options.services.ezwg = {
+    enable = mkEnableOption "Enable simple Wireguard connection";
+    proxy = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Route all your traffic through this connection";
+    };
+    lanSize = mkOption {
+      type = types.int;
+      default = 24;
+      description = "Size of your VLAN (only relevant if proxy is false)";
+    };
+    serverIP = mkOption {
+      type = types.str;
+      description = "The IP of the wg server";
+    };
+    serverPort = mkOption {
+      type = types.int;
+      default = 51820;
+      description = "The port of the wg server";
+    };
+    serverKey = mkOption {
+      type = types.str;
+      description = "The public key of the wg server";
+    };
+    privateKeyFile = mkOption {
+      type = types.str;
+      description = "Private wg key";
+    };
+    vlanIP = mkOption {
+      type = types.str;
+      description = "The IP to use on the wg VLAN";
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.firewall.checkReversePath = false;
+    networking.wireguard.interfaces.wg0 = let
+      generateRangesScript =
+        builtins.toFile "exclusionary-wildcard-ranges-generator.py" ''
+          import ipaddress
+          n1 = ipaddress.ip_network('0.0.0.0/0')
+          n2 = ipaddress.ip_network('${cfg.serverIP}/32')
+          print(':'.join(list(map(lambda x: str(x), list(n1.address_exclude(n2))))), end="")
+        '';
+      rangesOutput = pkgs.runCommandNoCC "exclusionary-wildcard-ranges" { } ''
+        ${pkgs.python3}/bin/python3 ${generateRangesScript} > $out
+      '';
+      generateSubnetScript =
+        builtins.toFile "subnet-without-host-bits-generator.py" ''
+          import ipaddress
+          n1 = ipaddress.ip_network('${cfg.vlanIP}/${
+            toString cfg.lanSize
+          }', False)
+          print(n1, end="")
+        '';
+      subnetOutput = pkgs.runCommandNoCC "subnet-without-host-bits" { } ''
+        ${pkgs.python3}/bin/python3 ${generateSubnetScript} > $out
+      '';
+      ranges = lib.splitString ":" (builtins.readFile "${rangesOutput}");
+      subnet = builtins.readFile "${subnetOutput}";
+    in {
+      ips = [ "${cfg.vlanIP}/${toString cfg.lanSize}" ];
+      privateKeyFile = cfg.privateKeyFile;
+      peers = [{
+        publicKey = cfg.serverKey;
+        allowedIPs = if cfg.proxy then ranges else [ subnet ];
+        endpoint = "${cfg.serverIP}:${toString cfg.serverPort}";
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}
--- a/profiles/desktop.nix
+++ b/profiles/desktop.nix
@ -3,6 +3,7 @@
    ./base.nix

    applications
+    ezwg
    hardware
    power
    services