diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix index 7ff99f40..c67423ae 100644 --- a/hosts/ni/default.nix +++ b/hosts/ni/default.nix @@ -4,11 +4,14 @@ let network = import ../plover/modules/hardware/networks.nix; inherit (builtins) toString; inherit (network) - publicIP + interfaces wireguardPort wireguardPeers; - wireguardAllowedIPs = [ "0.0.0.0/0" "::/0" ]; + wireguardAllowedIPs = [ + "${interfaces.internal.IPv4}/16" + "${interfaces.internal.IPv6}/64" + ]; wireguardIFName = "wireguard0"; in { @@ -240,20 +243,7 @@ in PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover; PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; - Endpoint = "${publicIP}:51820"; - }; - } - - # "Phone" peer. It is also expected to be anywhere on the global - # network so we're basically setting up our own peer as a traffic - # forwarder in case there's ever a reason to do connect from the phone - # to the server which is always available anyways. - { - wireguardPeerConfig = { - PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-phone; - PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; - AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; - Endpoint = "${publicIP}:51820"; + Endpoint = "${interfaces.main'.IPv4}:51820"; }; } ]; @@ -262,13 +252,30 @@ in networks."99-${wireguardIFName}" = { matchConfig.Name = wireguardIFName; address = with wireguardPeers.desktop; [ - "${IPv4}/24" - "${IPv6}/64" + "${IPv4}/32" + "${IPv6}/128" ]; # Otherwise, it will autostart every bootup when I need it only at few # hours at a time. - linkConfig.Unmanaged = true; + linkConfig = { + ActivationPolicy = "manual"; + RequiredForOnline = false; + }; + + routes = [ + { + routeConfig = { + Gateway = wireguardPeers.server.IPv4; + Destination = let + ip = lib.strings.splitString "." wireguardPeers.server.IPv4; + properRange = lib.lists.take 3 ip ++ [ "0" ]; + ip' = lib.concatStringsSep "." properRange; + in "${ip'}/16"; + GatewayOnLink = true; + }; + } + ]; }; }; } diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix index 3ea55ac3..537e053f 100644 --- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix +++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix @@ -6,14 +6,7 @@ let network = import ./networks.nix; inherit (builtins) toString; - inherit (network) - publicIP' publicIPv6 - publicIPv6PrefixLength - privateNetworkGatewayIP - privateIP' - privateIPv6 - privateIPv6PrefixLength - privateIPv6'; + inherit (network) privateIPv6Prefix interfaces; # This is just referring to the same interface just with alternative names. mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; @@ -69,12 +62,14 @@ in matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames; # Setting the primary static IPs. - address = [ - publicIP' + address = with interfaces; [ + # The public IPs. + "${main'.IPv4}/32" + "${main'.IPv6}/128" - # The public IPv6 is assigned to a server so we'll to have to go with - # something else. - "${publicIPv6}2/${toString publicIPv6PrefixLength}" + # IPs in the LAN. + "${main.IPv4}/16" + "${main.IPv6}/64" ]; networkConfig = { @@ -84,11 +79,11 @@ in routes = [ { routeConfig.Gateway = "fe80::1"; } - { routeConfig.Destination = publicIP'; } + { routeConfig.Destination = "${interfaces.main'.IPv4}/32"; } { routeConfig = { - Gateway = publicIP'; + Gateway = "${interfaces.main'.IPv4}/32"; GatewayOnLink = true; }; } @@ -97,10 +92,11 @@ in "60-lan" = { matchConfig.Name = "ens11"; - - address = [ privateIP' ]; + address = with interfaces.internal; [ + "${IPv4}/16" + "${IPv6}/64" + ]; networkConfig.DHCP = "yes"; - dhcpV6Config.PrefixDelegationHint = privateIPv6'; }; # This is to make use of the remaining ethernet interfaces as we can @@ -111,7 +107,7 @@ in # Even if there's one, it would have the interface with subnets and a # guaranteed network interface for the internal services. - dhcpV6Config.PrefixDelegationHint = privateIPv6'; + dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64"; }; }; }; diff --git a/hosts/plover/modules/hardware/networks.nix b/hosts/plover/modules/hardware/networks.nix index f3886f31..503b8a36 100644 --- a/hosts/plover/modules/hardware/networks.nix +++ b/hosts/plover/modules/hardware/networks.nix @@ -5,46 +5,53 @@ let inherit (builtins) toString; in rec { - publicIP = "95.217.212.19"; - publicIPPrefixLength = 32; - publicIP' = "${publicIP}/${toString publicIPPrefixLength}"; + privateIPv6Prefix = "fdee:b0de:5685"; + interfaces = { + # This is the public-facing interface. Any interface name with a prime + # symbol means it's a public-facing interface. + main' = { + IPv4 = "95.217.212.19"; + IPv6 = "2a01:4f9:c011:a448::1"; + }; - publicIPv6 = "2a01:4f9:c011:a448::"; - publicIPv6PrefixLength = 64; - publicIPv6' = "${publicIPv6}/${toString publicIPv6PrefixLength}"; + # /16 block for IPv4, /64 for IPv6. + main = { + IPv4 = "172.25.0.1"; + IPv6 = "${privateIPv6Prefix}:1::"; + }; + + # /16 block for IPv4, /64 for IPv6. + internal = { + IPv4 = "172.24.0.1"; + IPv6 = "${privateIPv6Prefix}:2::"; + }; + + # /16 BLOCK for IPv4, /64 for IPv6. + wireguard0 = { + IPv4 = "10.210.0.1"; + IPv6 = "${privateIPv6Prefix}:12ae::"; + }; + }; # The private network for this host. - privateNetworkGatewayIP = "172.16.0.1/32"; preferredInternalTLD = "internal"; - privateIP = "172.23.0.2"; - privateIPPrefixLength = 16; - privateIP' = "${privateIPv6}/${toString privateIPv6PrefixLength}"; - - # The IPv6 subnet for this host. - privateIPv6 = "fdee:b0de:5685:a4b3::"; - privateIPv6PrefixLength = 64; - privateIPv6' = "${privateIPv6}/${toString privateIPv6PrefixLength}"; - # Wireguard-related things. wireguardPort = 51820; - wireguardIPHostPart = "172.23.152"; - wireguardIPHostCreate = interfacePart: "${wireguardIPHostPart}.${toString interfacePart}"; - wireguardIPv6Prefix = "fdee:b0de:54e6:ae74::"; - wireguardIPv6Create = interfacePart: "${wireguardIPv6Prefix}${toString interfacePart}"; + wireguardIPHostPart = "10.210.0"; + wireguardIPv6Prefix = interfaces.wireguard0.IPv6; + # These are all fixed IP addresses. They should be /32 IPv4 block and /128 + # IPv6 block. wireguardPeers = { - server = { - IPv4 = wireguardIPHostCreate 1; - IPv6 = wireguardIPv6Create 1; - }; + server = with interfaces.wireguard0; { inherit IPv4 IPv6; }; desktop = { - IPv4 = wireguardIPHostCreate 2; - IPv6 = wireguardIPv6Create 2; + IPv4 = "${wireguardIPHostPart}.2"; + IPv6 = "${wireguardIPv6Prefix}:12ae::2"; }; phone = { - IPv4 = wireguardIPHostCreate 3; - IPv6 = wireguardIPv6Create 3; + IPv4 = "${wireguardIPHostPart}.3"; + IPv6 = "${wireguardIPv6Prefix}:12ae::3"; }; }; } diff --git a/hosts/plover/modules/services/atuin.nix b/hosts/plover/modules/services/atuin.nix index 092d75fb..3a2c3679 100644 --- a/hosts/plover/modules/services/atuin.nix +++ b/hosts/plover/modules/services/atuin.nix @@ -4,9 +4,10 @@ { config, lib, pkgs, ... }: let - inherit (import ../hardware/networks.nix) preferredInternalTLD privateIP'; + inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; + host = interfaces.internal.IPv4; in { # Atuin sync server because why not. @@ -15,7 +16,7 @@ in openFirewall = true; openRegistration = false; - host = privateIP'; + inherit host; port = 8965; }; @@ -33,7 +34,7 @@ in # Putting it altogether in the reverse proxy of choice. services.nginx.virtualHosts."${atuinDomain}" = { locations."/" = { - proxyPass = "http://localhost:${toString config.services.atuin.port}"; + proxyPass = "http://${host}:${toString config.services.atuin.port}"; }; }; } diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix index 3672a82f..c59789bf 100644 --- a/hosts/plover/modules/services/keycloak.nix +++ b/hosts/plover/modules/services/keycloak.nix @@ -2,7 +2,7 @@ { config, lib, pkgs, ... }: let - inherit (import ../hardware/networks.nix) privateIP'; + inherit (import ../hardware/networks.nix) interfaces; authDomain = "auth.${config.networking.domain}"; @@ -11,6 +11,7 @@ let keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; certs = config.security.acme.certs; + host = interfaces.internal.IPv4; in { # Hey, the hub for your application sign-in. @@ -27,7 +28,7 @@ in }; settings = { - host = privateIP'; + inherit host; db-schema = keycloakDbName; @@ -75,7 +76,7 @@ in # This is based from the reverse proxy guide from the official # documentation at https://www.keycloak.org/server/reverseproxy. locations = let - keycloakPath = path: "http://${privateIP'}:${toString config.services.keycloak.settings.http-port}"; + keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}"; in lib.listToAttrs (lib.lists.map diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index a32b624e..d58c1e06 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -5,14 +5,10 @@ let acmeName = "wireguard.${config.networking.domain}"; inherit (builtins) toString; - inherit (import ../hardware/networks.nix) - privateIP' privateIPv6' - wireguardPort wireguardPeers; + inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers; wireguardIFName = "wireguard0"; - wireguardAllowedIPs = [ privateIP' privateIPv6' ]; - desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; in @@ -39,7 +35,7 @@ in wireguardPeerConfig = { PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path; - AllowedIPs = lib.concatStringsSep "," (desktopPeerAddresses ++ wireguardAllowedIPs); + AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses; }; } @@ -48,7 +44,7 @@ in wireguardPeerConfig = { PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path; - AllowedIPs = lib.concatStringsSep "," (phonePeerAddresses ++ wireguardAllowedIPs); + AllowedIPs = lib.concatStringsSep "," phonePeerAddresses; }; } ]; @@ -56,9 +52,22 @@ in networks."99-${wireguardIFName}" = { matchConfig.Name = wireguardIFName; - address = with wireguardPeers.server; [ - "${IPv4}/24" - "${IPv6}/64" + address = with interfaces.wireguard0; [ + "${IPv4}/32" + "${IPv6}/128" + ]; + + routes = [ + { + routeConfig = { + Gateway = wireguardPeers.server.IPv4; + Destination = let + ip = lib.strings.splitString "." wireguardPeers.server.IPv4; + properRange = lib.lists.take 3 ip ++ [ "0" ]; + ip' = lib.concatStringsSep "." properRange; + in "${ip'}/16"; + }; + } ]; }; };