diff --git a/config/fudo/dns.nix b/config/fudo/dns.nix index 4d04546..c3fb911 100644 --- a/config/fudo/dns.nix +++ b/config/fudo/dns.nix @@ -162,7 +162,7 @@ let nsRecords = ns-hosts: join-lines ((mapAttrsToList (host: _: "@ IN NS ${host}.") ns-hosts) ++ - (mapAttrsToList (host: ip: "${host} IN A ${ip}") ns-hosts)); + (mapAttrsToList (host: ip: "${host}. IN A ${ip}") ns-hosts)); in { diff --git a/config/fudo/vpn.nix b/config/fudo/vpn.nix index 1467fbb..79f55df 100644 --- a/config/fudo/vpn.nix +++ b/config/fudo/vpn.nix @@ -4,29 +4,46 @@ with lib; let cfg = config.fudo.vpn; - peerOpts = { peer-name, ... }: { - options = with types; { - public-key = mkOption { - type = str; - description = "Peer public key."; - }; + ip-util = import ../../lib/ip.nix { lib = lib; }; - allowed-ips = mkOption { - type = listOf str; - description = "List of allowed IP ranges from which this peer can connect."; - example = [ "10.100.0.0/16" ]; - default = []; - }; - }; + generate-pubkey-pkg = name: privkey: + pkgs.runCommand "wireguard-${name}-pubkey" { + WIREGUARD_PRIVATE_KEY = privkey; + } '' + mkdir $out + PUBKEY=$(echo $WIREGUARD_PRIVATE_KEY | ${pkgs.wireguard-tools}/bin/wg pubkey) + echo $PUBKEY > $out/pubkey.key + ''; + + generate-client-config = privkey-file: server-pubkey: network: server-ip: listen-port: dns-servers: '' + [Interface] + Address = ${ip-util.networkMinIp network} + PrivateKey = ${fileContents privkey-file} + ListenPort = ${toString listen-port} + DNS = ${concatStringsSep ", " dns-servers} + + [Peer] + PublicKey = ${server-pubkey} + Endpoint = ${server-ip}:${toString listen-port} + AllowedIps = 0.0.0.0/0, ::/0 + PersistentKeepalive = 25 + ''; + + generate-peer-entry = peer-name: peer-privkey-path: peer-allowed-ips: let + peer-pkg = generate-pubkey-pkg "client-${peer-name}" (fileContents peer-privkey-path); + pubkey-path = "${peer-pkg}/pubkey.key"; + in { + publicKey = fileContents pubkey-path; + allowedIPs = peer-allowed-ips; }; in { options.fudo.vpn = with types; { enable = mkEnableOption "Enable Fudo VPN"; - ips = mkOption { + network = mkOption { type = str; - description = "IP range to assign this interface."; + description = "Network range to assign this interface."; default = "10.100.0.0/16"; }; @@ -42,30 +59,68 @@ in { default = 51820; }; + dns-servers = mkOption { + type = listOf str; + description = "A list of dns servers to pass to clients."; + default = ["1.1.1.1" "8.8.8.8"]; + }; + + server-ip = mkOption { + type = str; + description = "IP of this WireGuard server."; + }; + peers = mkOption { - type = loaOf (submodule peerOpts); - description = "A list of peers allowed to connect."; + type = loaOf str; + description = "A map of peers to shared private keys."; default = {}; example = { - peer0 = { - public-key = "xyz"; - allowed-ips = ["10.100.1.0/24"]; - }; + peer0 = "/path/to/priv.key"; }; }; }; config = mkIf cfg.enable { + environment.etc = let + peer-data = imap1 (i: peer:{ + name = peer.name; + privkey-path = peer.privkey-path; + network-range = let + base = ip-util.intToIpv4 + ((ip-util.ipv4ToInt (ip-util.getNetworkBase cfg.network)) + (i * 256)); + in "${base}/24"; + }) (mapAttrsToList (name: privkey-path: { + name = name; + privkey-path = privkey-path; + }) cfg.peers); + + server-pubkey-pkg = generate-pubkey-pkg "server-pubkey" (fileContents cfg.private-key-file); + + server-pubkey = fileContents "${server-pubkey-pkg}/pubkey.key"; + + in listToAttrs + (map (peer: nameValuePair "wireguard/clients/${peer.name}.conf" { + mode = "0400"; + user = "root"; + group = "root"; + text = generate-client-config + peer.privkey-path + server-pubkey + peer.network-range + cfg.server-ip + cfg.listen-port + cfg.dns-servers; + }) peer-data); + networking.wireguard = { enable = true; interfaces.wgtun0 = { generatePrivateKeyFile = false; - ips = [ cfg.ips ]; + ips = [ cfg.network ]; listenPort = cfg.listen-port; - peers = mapAttrsToList (peer-name: peer-config: { - publicKey = peer-config.public-key; - allowedIPs = peer-config.allowed-ips; - }) cfg.peers; + peers = mapAttrsToList + (name: private-key: generate-peer-entry name private-key ["0.0.0.0/0" "::/0"]) + cfg.peers; privateKeyFile = cfg.private-key-file; }; }; diff --git a/hosts/procul.nix b/hosts/procul.nix index ead5d09..5272d2a 100644 --- a/hosts/procul.nix +++ b/hosts/procul.nix @@ -31,10 +31,6 @@ in { ../informis/users.nix ]; - environment.systemPackages = with pkgs; [ - multipath-tools - ]; - networking = { hostName = hostname; @@ -110,6 +106,15 @@ in { ]; }; + client.dns = { + enable = true; + ipv4 = true; + ipv6 = true; + user = "fudo-client"; + external-interface = "extif0"; + password-file = "/srv/client/secure/client.passwd"; + }; + # Not all users need access to procul; don't allow LDAP-user access. authentication.enable = false; @@ -214,15 +219,23 @@ in { users = { gituser = { - password = fileContents "/srv/git/secure/db.passwd"; + password-file = "/srv/git/secure/db.passwd"; databases = { - git = "ALL PRIVILEGES"; + git = { + access = "CONNECT"; + entity-access = { + "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; + "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE"; + }; + }; }; }; }; databases = { - git = ["niten"]; + git = { + users = ["niten"]; + }; }; }; @@ -273,22 +286,15 @@ in { }; fudo.vpn = { - enable = true; - ips = "10.100.0.0/16"; + # fer some fuckin reason this sets the default gw to the vpn interface + enable = false; + network = "10.100.0.0/16"; + server-ip = host_ipv4; private-key-file = "/srv/wireguard/secure/secret.key"; peers = { - peter = { - allowed-ips = [ "10.100.1.0/24" ]; - public-key = "d1NfRFWRkcKq2gxvqfMy7Oe+JFYf5DjomnsTyisvgB4="; - }; - ken = { - allowed-ips = [ "10.100.2.0/24" ]; - public-key = "y294rTCK0iSRhA6EIOErPzEuqzJMuYAG4XbHasySMVU="; - }; - helen = { - allowed-ips = [ "10.100.3.0/24" ]; - public-key = "7Hdko6RibhIYdoPLWXGwmElY5vKvZ+rURmqFTDUfC2w="; - }; + peter = "/srv/wireguard/clients/peter.key"; + ken = "/srv/wireguard/clients/ken.key"; + helen = "/srv/wireguard/clients/helen.key"; }; };