foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 06:19:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts: simplify networking set and update Wireguard setup

Browse Source 
Currently, the networking set is very messy. It is better to contain
them into another attribute set and categorizing them by the interfaces
that is supposed to contain them. I should've done this some time ago.
This commit is contained in:
Gabriel Arazas 2023-01-23 17:46:32 +08:00
parent fb5f2e277d
commit a386f99554
6 changed files with 103 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
hosts/ni/default.nix
View File

@ -4,11 +4,14 @@ let
network = import ../plover/modules/hardware/networks.nix; network = import ../plover/modules/hardware/networks.nix;
inherit (builtins) toString; inherit (builtins) toString;
inherit (network) inherit (network)
publicIP interfaces
wireguardPort wireguardPort
wireguardPeers; wireguardPeers;
wireguardAllowedIPs = [ "0.0.0.0/0" "::/0" ]; wireguardAllowedIPs = [
"${interfaces.internal.IPv4}/16"
"${interfaces.internal.IPv6}/64"
];
wireguardIFName = "wireguard0"; wireguardIFName = "wireguard0";
in in
{ {
@ -240,20 +243,7 @@ in
PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover; PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${publicIP}:51820"; Endpoint = "${interfaces.main'.IPv4}:51820";
};
}
# "Phone" peer. It is also expected to be anywhere on the global
# network so we're basically setting up our own peer as a traffic
# forwarder in case there's ever a reason to do connect from the phone
# to the server which is always available anyways.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${publicIP}:51820";
}; };
} }
]; ];
@ -262,13 +252,30 @@ in
networks."99-${wireguardIFName}" = { networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName; matchConfig.Name = wireguardIFName;
address = with wireguardPeers.desktop; [ address = with wireguardPeers.desktop; [
"${IPv4}/24" "${IPv4}/32"
"${IPv6}/64" "${IPv6}/128"
]; ];
# Otherwise, it will autostart every bootup when I need it only at few # Otherwise, it will autostart every bootup when I need it only at few
# hours at a time. # hours at a time.
linkConfig.Unmanaged = true; linkConfig = {
ActivationPolicy = "manual";
RequiredForOnline = false;
};
routes = [
{
routeConfig = {
Gateway = wireguardPeers.server.IPv4;
Destination = let
ip = lib.strings.splitString "." wireguardPeers.server.IPv4;
properRange = lib.lists.take 3 ip ++ [ "0" ];
ip' = lib.concatStringsSep "." properRange;
in "${ip'}/16";
GatewayOnLink = true;
};
}
];
}; };
}; };
} }

34
hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
View File

@ -6,14 +6,7 @@
let let
network = import ./networks.nix; network = import ./networks.nix;
inherit (builtins) toString; inherit (builtins) toString;
inherit (network) inherit (network) privateIPv6Prefix interfaces;
publicIP' publicIPv6
publicIPv6PrefixLength
privateNetworkGatewayIP
privateIP'
privateIPv6
privateIPv6PrefixLength
privateIPv6';
# This is just referring to the same interface just with alternative names. # This is just referring to the same interface just with alternative names.
mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
@ -69,12 +62,14 @@ in
matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames; matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames;
# Setting the primary static IPs. # Setting the primary static IPs.
address = [ address = with interfaces; [
publicIP' # The public IPs.
"${main'.IPv4}/32"
"${main'.IPv6}/128"
# The public IPv6 is assigned to a server so we'll to have to go with # IPs in the LAN.
# something else. "${main.IPv4}/16"
"${publicIPv6}2/${toString publicIPv6PrefixLength}" "${main.IPv6}/64"
]; ];
networkConfig = { networkConfig = {
@ -84,11 +79,11 @@ in
routes = [ routes = [
{ routeConfig.Gateway = "fe80::1"; } { routeConfig.Gateway = "fe80::1"; }
{ routeConfig.Destination = publicIP'; } { routeConfig.Destination = "${interfaces.main'.IPv4}/32"; }
{ {
routeConfig = { routeConfig = {
Gateway = publicIP'; Gateway = "${interfaces.main'.IPv4}/32";
GatewayOnLink = true; GatewayOnLink = true;
}; };
} }
@ -97,10 +92,11 @@ in
"60-lan" = { "60-lan" = {
matchConfig.Name = "ens11"; matchConfig.Name = "ens11";
address = with interfaces.internal; [
address = [ privateIP' ]; "${IPv4}/16"
"${IPv6}/64"
];
networkConfig.DHCP = "yes"; networkConfig.DHCP = "yes";
dhcpV6Config.PrefixDelegationHint = privateIPv6';
}; };
# This is to make use of the remaining ethernet interfaces as we can # This is to make use of the remaining ethernet interfaces as we can
@ -111,7 +107,7 @@ in
# Even if there's one, it would have the interface with subnets and a # Even if there's one, it would have the interface with subnets and a
# guaranteed network interface for the internal services. # guaranteed network interface for the internal services.
dhcpV6Config.PrefixDelegationHint = privateIPv6'; dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64";
}; };
}; };
}; };

63
hosts/plover/modules/hardware/networks.nix
View File

@ -5,46 +5,53 @@ let
inherit (builtins) toString; inherit (builtins) toString;
in in
rec { rec {
publicIP = "95.217.212.19"; privateIPv6Prefix = "fdee:b0de:5685";
publicIPPrefixLength = 32; interfaces = {
publicIP' = "${publicIP}/${toString publicIPPrefixLength}"; # This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface.
main' = {
IPv4 = "95.217.212.19";
IPv6 = "2a01:4f9:c011:a448::1";
};
publicIPv6 = "2a01:4f9:c011:a448::"; # /16 block for IPv4, /64 for IPv6.
publicIPv6PrefixLength = 64; main = {
publicIPv6' = "${publicIPv6}/${toString publicIPv6PrefixLength}"; IPv4 = "172.25.0.1";
IPv6 = "${privateIPv6Prefix}:1::";
};
# /16 block for IPv4, /64 for IPv6.
internal = {
IPv4 = "172.24.0.1";
IPv6 = "${privateIPv6Prefix}:2::";
};
# /16 BLOCK for IPv4, /64 for IPv6.
wireguard0 = {
IPv4 = "10.210.0.1";
IPv6 = "${privateIPv6Prefix}:12ae::";
};
};
# The private network for this host. # The private network for this host.
privateNetworkGatewayIP = "172.16.0.1/32";
preferredInternalTLD = "internal"; preferredInternalTLD = "internal";
privateIP = "172.23.0.2";
privateIPPrefixLength = 16;
privateIP' = "${privateIPv6}/${toString privateIPv6PrefixLength}";
# The IPv6 subnet for this host.
privateIPv6 = "fdee:b0de:5685:a4b3::";
privateIPv6PrefixLength = 64;
privateIPv6' = "${privateIPv6}/${toString privateIPv6PrefixLength}";
# Wireguard-related things. # Wireguard-related things.
wireguardPort = 51820; wireguardPort = 51820;
wireguardIPHostPart = "172.23.152"; wireguardIPHostPart = "10.210.0";
wireguardIPHostCreate = interfacePart: "${wireguardIPHostPart}.${toString interfacePart}"; wireguardIPv6Prefix = interfaces.wireguard0.IPv6;
wireguardIPv6Prefix = "fdee:b0de:54e6:ae74::";
wireguardIPv6Create = interfacePart: "${wireguardIPv6Prefix}${toString interfacePart}";
# These are all fixed IP addresses. They should be /32 IPv4 block and /128
# IPv6 block.
wireguardPeers = { wireguardPeers = {
server = { server = with interfaces.wireguard0; { inherit IPv4 IPv6; };
IPv4 = wireguardIPHostCreate 1;
IPv6 = wireguardIPv6Create 1;
};
desktop = { desktop = {
IPv4 = wireguardIPHostCreate 2; IPv4 = "${wireguardIPHostPart}.2";
IPv6 = wireguardIPv6Create 2; IPv6 = "${wireguardIPv6Prefix}:12ae::2";
}; };
phone = { phone = {
IPv4 = wireguardIPHostCreate 3; IPv4 = "${wireguardIPHostPart}.3";
IPv6 = wireguardIPv6Create 3; IPv6 = "${wireguardIPv6Prefix}:12ae::3";
}; };
}; };
} }

7
hosts/plover/modules/services/atuin.nix
View File

@ -4,9 +4,10 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ../hardware/networks.nix) preferredInternalTLD privateIP'; inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;
atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
host = interfaces.internal.IPv4;
in in
{ {
# Atuin sync server because why not. # Atuin sync server because why not.
@ -15,7 +16,7 @@ in
openFirewall = true; openFirewall = true;
openRegistration = false; openRegistration = false;
host = privateIP'; inherit host;
port = 8965; port = 8965;
}; };
@ -33,7 +34,7 @@ in
# Putting it altogether in the reverse proxy of choice. # Putting it altogether in the reverse proxy of choice.
services.nginx.virtualHosts."${atuinDomain}" = { services.nginx.virtualHosts."${atuinDomain}" = {
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${toString config.services.atuin.port}"; proxyPass = "http://${host}:${toString config.services.atuin.port}";
}; };
}; };
} }

7
hosts/plover/modules/services/keycloak.nix
View File

@ -2,7 +2,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ../hardware/networks.nix) privateIP'; inherit (import ../hardware/networks.nix) interfaces;
authDomain = "auth.${config.networking.domain}"; authDomain = "auth.${config.networking.domain}";
@ -11,6 +11,7 @@ let
keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
certs = config.security.acme.certs; certs = config.security.acme.certs;
host = interfaces.internal.IPv4;
in in
{ {
# Hey, the hub for your application sign-in. # Hey, the hub for your application sign-in.
@ -27,7 +28,7 @@ in
}; };
settings = { settings = {
host = privateIP'; inherit host;
db-schema = keycloakDbName; db-schema = keycloakDbName;
@ -75,7 +76,7 @@ in
# This is based from the reverse proxy guide from the official # This is based from the reverse proxy guide from the official
# documentation at https://www.keycloak.org/server/reverseproxy. # documentation at https://www.keycloak.org/server/reverseproxy.
locations = let locations = let
keycloakPath = path: "http://${privateIP'}:${toString config.services.keycloak.settings.http-port}"; keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}";
in in
lib.listToAttrs lib.listToAttrs
(lib.lists.map (lib.lists.map

29
hosts/plover/modules/services/wireguard.nix
View File

@ -5,14 +5,10 @@
let let
acmeName = "wireguard.${config.networking.domain}"; acmeName = "wireguard.${config.networking.domain}";
inherit (builtins) toString; inherit (builtins) toString;
inherit (import ../hardware/networks.nix) inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
privateIP' privateIPv6'
wireguardPort wireguardPeers;
wireguardIFName = "wireguard0"; wireguardIFName = "wireguard0";
wireguardAllowedIPs = [ privateIP' privateIPv6' ];
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
in in
@ -39,7 +35,7 @@ in
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni; PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path;
AllowedIPs = lib.concatStringsSep "," (desktopPeerAddresses ++ wireguardAllowedIPs); AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses;
}; };
} }
@ -48,7 +44,7 @@ in
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone; PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path; PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," (phonePeerAddresses ++ wireguardAllowedIPs); AllowedIPs = lib.concatStringsSep "," phonePeerAddresses;
}; };
} }
]; ];
@ -56,9 +52,22 @@ in
networks."99-${wireguardIFName}" = { networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName; matchConfig.Name = wireguardIFName;
address = with wireguardPeers.server; [ address = with interfaces.wireguard0; [
"${IPv4}/24" "${IPv4}/32"
"${IPv6}/64" "${IPv6}/128"
];
routes = [
{
routeConfig = {
Gateway = wireguardPeers.server.IPv4;
Destination = let
ip = lib.strings.splitString "." wireguardPeers.server.IPv4;
properRange = lib.lists.take 3 ip ++ [ "0" ];
ip' = lib.concatStringsSep "." properRange;
in "${ip'}/16";
};
}
]; ];
}; };
}; };