Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS

config/fudo/dns.nix

@@ -162,7 +162,7 @@ let
 
   nsRecords = ns-hosts:
     join-lines ((mapAttrsToList (host: _: "@ IN NS ${host}.") ns-hosts) ++
-                (mapAttrsToList (host: ip: "${host} IN A ${ip}") ns-hosts));
+                (mapAttrsToList (host: ip: "${host}. IN A ${ip}") ns-hosts));
 
 in {
 

config/fudo/vpn.nix

@@ -4,29 +4,46 @@ with lib;
 let
   cfg = config.fudo.vpn;
 
-  peerOpts = { peer-name, ... }: {
+  ip-util = import ../../lib/ip.nix { lib = lib; };
-    options = with types; {
-      public-key = mkOption {
-        type = str;
-        description = "Peer public key.";
-      };
 
-      allowed-ips = mkOption {
+  generate-pubkey-pkg = name: privkey:
-        type = listOf str;
+    pkgs.runCommand "wireguard-${name}-pubkey" {
-        description = "List of allowed IP ranges from which this peer can connect.";
+      WIREGUARD_PRIVATE_KEY = privkey;
-        example = [ "10.100.0.0/16" ];
+    } ''
-        default = [];
+      mkdir $out
-      };
+      PUBKEY=$(echo $WIREGUARD_PRIVATE_KEY | ${pkgs.wireguard-tools}/bin/wg pubkey)
-    };
+      echo $PUBKEY > $out/pubkey.key
+    '';
+
+  generate-client-config = privkey-file: server-pubkey: network: server-ip: listen-port: dns-servers: ''
+      [Interface]
+      Address = ${ip-util.networkMinIp network}
+      PrivateKey = ${fileContents privkey-file}
+      ListenPort = ${toString listen-port}
+      DNS = ${concatStringsSep ", " dns-servers}
+
+      [Peer]
+      PublicKey = ${server-pubkey}
+      Endpoint = ${server-ip}:${toString listen-port}
+      AllowedIps = 0.0.0.0/0, ::/0
+      PersistentKeepalive = 25
+    '';
+
+  generate-peer-entry = peer-name: peer-privkey-path: peer-allowed-ips: let
+    peer-pkg = generate-pubkey-pkg "client-${peer-name}" (fileContents peer-privkey-path);
+    pubkey-path = "${peer-pkg}/pubkey.key";
+  in {
+    publicKey = fileContents pubkey-path;
+    allowedIPs = peer-allowed-ips;
   };
 
 in {
   options.fudo.vpn = with types; {
     enable = mkEnableOption "Enable Fudo VPN";
 
-    ips = mkOption {
+    network = mkOption {
       type = str;
-      description = "IP range to assign this interface.";
+      description = "Network range to assign this interface.";
       default = "10.100.0.0/16";
     };
 
@@ -42,30 +59,68 @@ in {
       default = 51820;
     };
 
+    dns-servers = mkOption {
+      type = listOf str;
+      description = "A list of dns servers to pass to clients.";
+      default = ["1.1.1.1" "8.8.8.8"];
+    };
+
+    server-ip = mkOption {
+      type = str;
+      description = "IP of this WireGuard server.";
+    };
+
     peers = mkOption {
-      type = loaOf (submodule peerOpts);
+      type = loaOf str;
-      description = "A list of peers allowed to connect.";
+      description = "A map of peers to shared private keys.";
       default = {};
       example = {
-        peer0 = {
+        peer0 = "/path/to/priv.key";
-          public-key = "xyz";
-          allowed-ips = ["10.100.1.0/24"];
-        };
       };
     };
   };
 
   config = mkIf cfg.enable {
+    environment.etc = let
+      peer-data = imap1 (i: peer:{
+        name = peer.name;
+        privkey-path = peer.privkey-path;
+        network-range = let
+          base = ip-util.intToIpv4
+            ((ip-util.ipv4ToInt (ip-util.getNetworkBase cfg.network)) + (i * 256));
+        in "${base}/24";
+      }) (mapAttrsToList (name: privkey-path: {
+        name = name;
+        privkey-path = privkey-path;
+      }) cfg.peers);
+
+      server-pubkey-pkg = generate-pubkey-pkg "server-pubkey" (fileContents cfg.private-key-file);
+
+      server-pubkey = fileContents "${server-pubkey-pkg}/pubkey.key";
+
+    in listToAttrs
+      (map (peer: nameValuePair "wireguard/clients/${peer.name}.conf" {
+        mode = "0400";
+        user = "root";
+        group = "root";
+        text = generate-client-config
+          peer.privkey-path
+          server-pubkey
+          peer.network-range
+          cfg.server-ip
+          cfg.listen-port
+          cfg.dns-servers;
+      }) peer-data);
+
     networking.wireguard = {
       enable = true;
       interfaces.wgtun0 = {
         generatePrivateKeyFile = false;
-        ips = [ cfg.ips ];
+        ips = [ cfg.network ];
         listenPort = cfg.listen-port;
-        peers = mapAttrsToList (peer-name: peer-config: {
+        peers = mapAttrsToList
-          publicKey = peer-config.public-key;
+          (name: private-key: generate-peer-entry name private-key ["0.0.0.0/0" "::/0"])
-          allowedIPs = peer-config.allowed-ips;
+          cfg.peers;
-        }) cfg.peers;
         privateKeyFile = cfg.private-key-file;
       };
     };

hosts/procul.nix

@@ -31,10 +31,6 @@ in {
     ../informis/users.nix
   ];
 
-  environment.systemPackages = with pkgs; [
-    multipath-tools
-  ];
-
   networking = {
     hostName = hostname;
 
@@ -110,6 +106,15 @@ in {
       ];
     };
 
+    client.dns = {
+      enable = true;
+      ipv4 = true;
+      ipv6 = true;
+      user = "fudo-client";
+      external-interface = "extif0";
+      password-file = "/srv/client/secure/client.passwd";
+    };
+
     # Not all users need access to procul; don't allow LDAP-user access.
     authentication.enable = false;
 
@@ -214,15 +219,23 @@ in {
 
       users = {
         gituser = {
-          password = fileContents "/srv/git/secure/db.passwd";
+          password-file = "/srv/git/secure/db.passwd";
           databases = {
-            git = "ALL PRIVILEGES";
+            git = {
+              access = "CONNECT";
+              entity-access = {
+                "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
+                "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
+              };
+            };
           };
         };
       };
 
       databases = {
-        git = ["niten"];
+        git = {
+          users = ["niten"];
+        };
       };
     };
 
@@ -273,22 +286,15 @@ in {
   };
 
   fudo.vpn = {
-    enable = true;
+    # fer some fuckin reason this sets the default gw to the vpn interface
-    ips = "10.100.0.0/16";
+    enable = false;
+    network = "10.100.0.0/16";
+    server-ip = host_ipv4;
     private-key-file = "/srv/wireguard/secure/secret.key";
     peers = {
-      peter = {
+      peter = "/srv/wireguard/clients/peter.key";
-        allowed-ips = [ "10.100.1.0/24" ];
+      ken = "/srv/wireguard/clients/ken.key";
-        public-key = "d1NfRFWRkcKq2gxvqfMy7Oe+JFYf5DjomnsTyisvgB4=";
+      helen = "/srv/wireguard/clients/helen.key";
-      };
-      ken = {
-        allowed-ips = [ "10.100.2.0/24" ];
-        public-key = "y294rTCK0iSRhA6EIOErPzEuqzJMuYAG4XbHasySMVU=";
-      };
-      helen = {
-        allowed-ips = [ "10.100.3.0/24" ];
-        public-key = "7Hdko6RibhIYdoPLWXGwmElY5vKvZ+rURmqFTDUfC2w=";
-      };
     };
   };