hosts/plover: update VPN setup with Tailscale

Setting up our own VPN infra with manual Wireguard thingy is a bit of tedious task.
2025-01-31 04:58:01 +00:00 · 2024-09-20 12:44:54 +08:00 · 2024-09-20 12:44:54 +08:00 · a8d0eb47a0
commit a8d0eb47a0
parent ab88395002
3 changed files with 3 additions and 121 deletions
--- a/configs/nixos/plover/default.nix
+++ b/configs/nixos/plover/default.nix
@ -33,9 +33,11 @@

    # The self-hosted services.
    grafana.enable = true;
-    tailscale.enable = true;
  };

+  # We're using our own VPN configuration for this one.
+  suites.vpn.enable = true;
+
  state.network = {
    ipv4 = lib.mkDefault "65.109.224.213";
    ipv6 = lib.mkDefault "2a01:4f9:c012:607a::1";
--- a/configs/nixos/plover/modules/default.nix
+++ b/configs/nixos/plover/modules/default.nix
@ -22,9 +22,6 @@
    # The firewall of choice.
    ./services/firewall.nix

-    # The VPN setup of choice.
-    ./services/wireguard.nix
-
    # The rest of the self-hosted applications.
    ./services/atuin.nix
    ./services/fail2ban.nix
--- a/configs/nixos/plover/modules/services/wireguard.nix
+++ b/configs/nixos/plover/modules/services/wireguard.nix
@ -1,117 +0,0 @@
-{ config, lib, pkgs, foodogsquaredLib, ... }:
-
-# Take note this service is heavily based on the hardware networking setup of
-# this host so better stay focused on the hardware configuration on this host.
-let
-  hostCfg = config.hosts.plover;
-  cfg = hostCfg.services.wireguard;
-
-  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
-
-  wireguardIFName = interfaces.wireguard0.ifname;
-
-  desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
-  phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
-in
-{
-  options.hosts.plover.services.wireguard.enable =
-    lib.mkEnableOption "Wireguard VPN setup";
-
-  config = lib.mkIf cfg.enable (lib.mkMerge [
-    {
-      environment.systemPackages = [ pkgs.wireguard-tools ];
-
-      sops.secrets =
-        let
-          systemdNetworkdPermission = {
-            group = config.users.users.systemd-network.group;
-            reloadUnits = [ "systemd-networkd.service" ];
-            mode = "0640";
-          };
-        in
-        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
-          "wireguard/private-key" = systemdNetworkdPermission;
-          "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
-          "wireguard/preshared-keys/phone" = systemdNetworkdPermission;
-        };
-
-      # Since we're using systemd-networkd to configure interfaces, we can control
-      # how each interface can handle things such as IP masquerading so no need for
-      # modifying sysctl settings like 'ipv4.ip_forward' or similar.
-      systemd.network = {
-        wait-online.ignoredInterfaces = [ wireguardIFName ];
-
-        netdevs."99-${wireguardIFName}" = {
-          netdevConfig = {
-            Name = wireguardIFName;
-            Kind = "wireguard";
-          };
-
-          wireguardConfig = {
-            PrivateKeyFile = config.sops.secrets."wireguard/private-key".path;
-            ListenPort = wireguardPort;
-          };
-
-          wireguardPeers = [
-            # Desktop workstation.
-            {
-              wireguardPeerConfig = {
-                PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
-                PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/ni".path;
-                AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses;
-              };
-            }
-
-            # Phone.
-            {
-              wireguardPeerConfig = {
-                PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
-                PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
-                AllowedIPs = lib.concatStringsSep "," phonePeerAddresses;
-              };
-            }
-          ];
-        };
-
-        networks."99-${wireguardIFName}" = with interfaces.wireguard0; {
-          matchConfig.Name = ifname;
-
-          address = [
-            "${IPv4.address}/14"
-            "${IPv6.address}/64"
-          ];
-
-          routes = [
-            { routeConfig.Gateway = IPv4.gateway; }
-          ];
-        };
-      };
-    }
-
-    (lib.mkIf hostCfg.services.firewall.enable {
-      networking.firewall = {
-        # Allow the UDP traffic for the Wireguard service.
-        allowedUDPPorts = [ wireguardPort ];
-
-        # IP forwarding for specific interfaces.
-        filterForward = true;
-        extraForwardRules = ''
-          iifname ${wireguardIFName} accept comment "IP forward from Wireguard interface to LAN"
-        '';
-      };
-
-      networking.nftables.ruleset = ''
-        table ip wireguard-${wireguardIFName} {
-          chain prerouting {
-            type nat hook prerouting priority filter; policy accept;
-          }
-
-          chain postrouting {
-            type nat hook postrouting priority srcnat; policy accept;
-            iifname ${wireguardIFName} snat to ${interfaces.lan.IPv4.address} comment "Make packets from Wireguard interface appear as coming from the LAN interface"
-          }
-        }
-      '';
-    })
-  ]);
-}