From a386f99554741cc956d35e52702c0da6b4ae3681 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Mon, 23 Jan 2023 17:46:32 +0800 Subject: [PATCH] hosts: simplify networking set and update Wireguard setup Currently, the networking set is very messy. It is better to contain them into another attribute set and categorizing them by the interfaces that is supposed to contain them. I should've done this some time ago. --- hosts/ni/default.nix | 45 +++++++------ .../modules/hardware/hetzner-cloud-cx21.nix | 34 +++++----- hosts/plover/modules/hardware/networks.nix | 63 ++++++++++--------- hosts/plover/modules/services/atuin.nix | 7 ++- hosts/plover/modules/services/keycloak.nix | 7 ++- hosts/plover/modules/services/wireguard.nix | 29 ++++++--- 6 files changed, 103 insertions(+), 82 deletions(-) diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix index 7ff99f40..c67423ae 100644 --- a/hosts/ni/default.nix +++ b/hosts/ni/default.nix @@ -4,11 +4,14 @@ let network = import ../plover/modules/hardware/networks.nix; inherit (builtins) toString; inherit (network) - publicIP + interfaces wireguardPort wireguardPeers; - wireguardAllowedIPs = [ "0.0.0.0/0" "::/0" ]; + wireguardAllowedIPs = [ + "${interfaces.internal.IPv4}/16" + "${interfaces.internal.IPv6}/64" + ]; wireguardIFName = "wireguard0"; in { @@ -240,20 +243,7 @@ in PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover; PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; - Endpoint = "${publicIP}:51820"; - }; - } - - # "Phone" peer. It is also expected to be anywhere on the global - # network so we're basically setting up our own peer as a traffic - # forwarder in case there's ever a reason to do connect from the phone - # to the server which is always available anyways. - { - wireguardPeerConfig = { - PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-phone; - PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; - AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; - Endpoint = "${publicIP}:51820"; + Endpoint = "${interfaces.main'.IPv4}:51820"; }; } ]; @@ -262,13 +252,30 @@ in networks."99-${wireguardIFName}" = { matchConfig.Name = wireguardIFName; address = with wireguardPeers.desktop; [ - "${IPv4}/24" - "${IPv6}/64" + "${IPv4}/32" + "${IPv6}/128" ]; # Otherwise, it will autostart every bootup when I need it only at few # hours at a time. - linkConfig.Unmanaged = true; + linkConfig = { + ActivationPolicy = "manual"; + RequiredForOnline = false; + }; + + routes = [ + { + routeConfig = { + Gateway = wireguardPeers.server.IPv4; + Destination = let + ip = lib.strings.splitString "." wireguardPeers.server.IPv4; + properRange = lib.lists.take 3 ip ++ [ "0" ]; + ip' = lib.concatStringsSep "." properRange; + in "${ip'}/16"; + GatewayOnLink = true; + }; + } + ]; }; }; } diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix index 3ea55ac3..537e053f 100644 --- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix +++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix @@ -6,14 +6,7 @@ let network = import ./networks.nix; inherit (builtins) toString; - inherit (network) - publicIP' publicIPv6 - publicIPv6PrefixLength - privateNetworkGatewayIP - privateIP' - privateIPv6 - privateIPv6PrefixLength - privateIPv6'; + inherit (network) privateIPv6Prefix interfaces; # This is just referring to the same interface just with alternative names. mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; @@ -69,12 +62,14 @@ in matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames; # Setting the primary static IPs. - address = [ - publicIP' + address = with interfaces; [ + # The public IPs. + "${main'.IPv4}/32" + "${main'.IPv6}/128" - # The public IPv6 is assigned to a server so we'll to have to go with - # something else. - "${publicIPv6}2/${toString publicIPv6PrefixLength}" + # IPs in the LAN. + "${main.IPv4}/16" + "${main.IPv6}/64" ]; networkConfig = { @@ -84,11 +79,11 @@ in routes = [ { routeConfig.Gateway = "fe80::1"; } - { routeConfig.Destination = publicIP'; } + { routeConfig.Destination = "${interfaces.main'.IPv4}/32"; } { routeConfig = { - Gateway = publicIP'; + Gateway = "${interfaces.main'.IPv4}/32"; GatewayOnLink = true; }; } @@ -97,10 +92,11 @@ in "60-lan" = { matchConfig.Name = "ens11"; - - address = [ privateIP' ]; + address = with interfaces.internal; [ + "${IPv4}/16" + "${IPv6}/64" + ]; networkConfig.DHCP = "yes"; - dhcpV6Config.PrefixDelegationHint = privateIPv6'; }; # This is to make use of the remaining ethernet interfaces as we can @@ -111,7 +107,7 @@ in # Even if there's one, it would have the interface with subnets and a # guaranteed network interface for the internal services. - dhcpV6Config.PrefixDelegationHint = privateIPv6'; + dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64"; }; }; }; diff --git a/hosts/plover/modules/hardware/networks.nix b/hosts/plover/modules/hardware/networks.nix index f3886f31..503b8a36 100644 --- a/hosts/plover/modules/hardware/networks.nix +++ b/hosts/plover/modules/hardware/networks.nix @@ -5,46 +5,53 @@ let inherit (builtins) toString; in rec { - publicIP = "95.217.212.19"; - publicIPPrefixLength = 32; - publicIP' = "${publicIP}/${toString publicIPPrefixLength}"; + privateIPv6Prefix = "fdee:b0de:5685"; + interfaces = { + # This is the public-facing interface. Any interface name with a prime + # symbol means it's a public-facing interface. + main' = { + IPv4 = "95.217.212.19"; + IPv6 = "2a01:4f9:c011:a448::1"; + }; - publicIPv6 = "2a01:4f9:c011:a448::"; - publicIPv6PrefixLength = 64; - publicIPv6' = "${publicIPv6}/${toString publicIPv6PrefixLength}"; + # /16 block for IPv4, /64 for IPv6. + main = { + IPv4 = "172.25.0.1"; + IPv6 = "${privateIPv6Prefix}:1::"; + }; + + # /16 block for IPv4, /64 for IPv6. + internal = { + IPv4 = "172.24.0.1"; + IPv6 = "${privateIPv6Prefix}:2::"; + }; + + # /16 BLOCK for IPv4, /64 for IPv6. + wireguard0 = { + IPv4 = "10.210.0.1"; + IPv6 = "${privateIPv6Prefix}:12ae::"; + }; + }; # The private network for this host. - privateNetworkGatewayIP = "172.16.0.1/32"; preferredInternalTLD = "internal"; - privateIP = "172.23.0.2"; - privateIPPrefixLength = 16; - privateIP' = "${privateIPv6}/${toString privateIPv6PrefixLength}"; - - # The IPv6 subnet for this host. - privateIPv6 = "fdee:b0de:5685:a4b3::"; - privateIPv6PrefixLength = 64; - privateIPv6' = "${privateIPv6}/${toString privateIPv6PrefixLength}"; - # Wireguard-related things. wireguardPort = 51820; - wireguardIPHostPart = "172.23.152"; - wireguardIPHostCreate = interfacePart: "${wireguardIPHostPart}.${toString interfacePart}"; - wireguardIPv6Prefix = "fdee:b0de:54e6:ae74::"; - wireguardIPv6Create = interfacePart: "${wireguardIPv6Prefix}${toString interfacePart}"; + wireguardIPHostPart = "10.210.0"; + wireguardIPv6Prefix = interfaces.wireguard0.IPv6; + # These are all fixed IP addresses. They should be /32 IPv4 block and /128 + # IPv6 block. wireguardPeers = { - server = { - IPv4 = wireguardIPHostCreate 1; - IPv6 = wireguardIPv6Create 1; - }; + server = with interfaces.wireguard0; { inherit IPv4 IPv6; }; desktop = { - IPv4 = wireguardIPHostCreate 2; - IPv6 = wireguardIPv6Create 2; + IPv4 = "${wireguardIPHostPart}.2"; + IPv6 = "${wireguardIPv6Prefix}:12ae::2"; }; phone = { - IPv4 = wireguardIPHostCreate 3; - IPv6 = wireguardIPv6Create 3; + IPv4 = "${wireguardIPHostPart}.3"; + IPv6 = "${wireguardIPv6Prefix}:12ae::3"; }; }; } diff --git a/hosts/plover/modules/services/atuin.nix b/hosts/plover/modules/services/atuin.nix index 092d75fb..3a2c3679 100644 --- a/hosts/plover/modules/services/atuin.nix +++ b/hosts/plover/modules/services/atuin.nix @@ -4,9 +4,10 @@ { config, lib, pkgs, ... }: let - inherit (import ../hardware/networks.nix) preferredInternalTLD privateIP'; + inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; + host = interfaces.internal.IPv4; in { # Atuin sync server because why not. @@ -15,7 +16,7 @@ in openFirewall = true; openRegistration = false; - host = privateIP'; + inherit host; port = 8965; }; @@ -33,7 +34,7 @@ in # Putting it altogether in the reverse proxy of choice. services.nginx.virtualHosts."${atuinDomain}" = { locations."/" = { - proxyPass = "http://localhost:${toString config.services.atuin.port}"; + proxyPass = "http://${host}:${toString config.services.atuin.port}"; }; }; } diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix index 3672a82f..c59789bf 100644 --- a/hosts/plover/modules/services/keycloak.nix +++ b/hosts/plover/modules/services/keycloak.nix @@ -2,7 +2,7 @@ { config, lib, pkgs, ... }: let - inherit (import ../hardware/networks.nix) privateIP'; + inherit (import ../hardware/networks.nix) interfaces; authDomain = "auth.${config.networking.domain}"; @@ -11,6 +11,7 @@ let keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; certs = config.security.acme.certs; + host = interfaces.internal.IPv4; in { # Hey, the hub for your application sign-in. @@ -27,7 +28,7 @@ in }; settings = { - host = privateIP'; + inherit host; db-schema = keycloakDbName; @@ -75,7 +76,7 @@ in # This is based from the reverse proxy guide from the official # documentation at https://www.keycloak.org/server/reverseproxy. locations = let - keycloakPath = path: "http://${privateIP'}:${toString config.services.keycloak.settings.http-port}"; + keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}"; in lib.listToAttrs (lib.lists.map diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index a32b624e..d58c1e06 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -5,14 +5,10 @@ let acmeName = "wireguard.${config.networking.domain}"; inherit (builtins) toString; - inherit (import ../hardware/networks.nix) - privateIP' privateIPv6' - wireguardPort wireguardPeers; + inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers; wireguardIFName = "wireguard0"; - wireguardAllowedIPs = [ privateIP' privateIPv6' ]; - desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; in @@ -39,7 +35,7 @@ in wireguardPeerConfig = { PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path; - AllowedIPs = lib.concatStringsSep "," (desktopPeerAddresses ++ wireguardAllowedIPs); + AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses; }; } @@ -48,7 +44,7 @@ in wireguardPeerConfig = { PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path; - AllowedIPs = lib.concatStringsSep "," (phonePeerAddresses ++ wireguardAllowedIPs); + AllowedIPs = lib.concatStringsSep "," phonePeerAddresses; }; } ]; @@ -56,9 +52,22 @@ in networks."99-${wireguardIFName}" = { matchConfig.Name = wireguardIFName; - address = with wireguardPeers.server; [ - "${IPv4}/24" - "${IPv6}/64" + address = with interfaces.wireguard0; [ + "${IPv4}/32" + "${IPv6}/128" + ]; + + routes = [ + { + routeConfig = { + Gateway = wireguardPeers.server.IPv4; + Destination = let + ip = lib.strings.splitString "." wireguardPeers.server.IPv4; + properRange = lib.lists.take 3 ip ++ [ "0" ]; + ip' = lib.concatStringsSep "." properRange; + in "${ip'}/16"; + }; + } ]; }; };