nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS

This commit is contained in:
root 2020-11-19 16:21:20 -06:00
parent e6795d6d2e b5fcbc1a70
commit 4164a3b156
3 changed files with 109 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/fudo/dns.nix
View File

@ -162,7 +162,7 @@ let
nsRecords = ns-hosts:
join-lines ((mapAttrsToList (host: _: "@ IN NS ${host}.") ns-hosts) ++
(mapAttrsToList (host: ip: "${host} IN A ${ip}") ns-hosts));
(mapAttrsToList (host: ip: "${host}. IN A ${ip}") ns-hosts));
in {

107
config/fudo/vpn.nix
View File

@ -4,29 +4,46 @@ with lib;
let
cfg = config.fudo.vpn;
peerOpts = { peer-name, ... }: {
options = with types; {
public-key = mkOption {
type = str;
description = "Peer public key.";
};
ip-util = import ../../lib/ip.nix { lib = lib; };
allowed-ips = mkOption {
type = listOf str;
description = "List of allowed IP ranges from which this peer can connect.";
example = [ "10.100.0.0/16" ];
default = [];
};
};
generate-pubkey-pkg = name: privkey:
pkgs.runCommand "wireguard-${name}-pubkey" {
WIREGUARD_PRIVATE_KEY = privkey;
} ''
mkdir $out
PUBKEY=$(echo $WIREGUARD_PRIVATE_KEY | ${pkgs.wireguard-tools}/bin/wg pubkey)
echo $PUBKEY > $out/pubkey.key
'';
generate-client-config = privkey-file: server-pubkey: network: server-ip: listen-port: dns-servers: ''
[Interface]
Address = ${ip-util.networkMinIp network}
PrivateKey = ${fileContents privkey-file}
ListenPort = ${toString listen-port}
DNS = ${concatStringsSep ", " dns-servers}
[Peer]
PublicKey = ${server-pubkey}
Endpoint = ${server-ip}:${toString listen-port}
AllowedIps = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
'';
generate-peer-entry = peer-name: peer-privkey-path: peer-allowed-ips: let
peer-pkg = generate-pubkey-pkg "client-${peer-name}" (fileContents peer-privkey-path);
pubkey-path = "${peer-pkg}/pubkey.key";
in {
publicKey = fileContents pubkey-path;
allowedIPs = peer-allowed-ips;
};
in {
options.fudo.vpn = with types; {
enable = mkEnableOption "Enable Fudo VPN";
ips = mkOption {
network = mkOption {
type = str;
description = "IP range to assign this interface.";
description = "Network range to assign this interface.";
default = "10.100.0.0/16";
};
@ -42,30 +59,68 @@ in {
default = 51820;
};
dns-servers = mkOption {
type = listOf str;
description = "A list of dns servers to pass to clients.";
default = ["1.1.1.1" "8.8.8.8"];
};
server-ip = mkOption {
type = str;
description = "IP of this WireGuard server.";
};
peers = mkOption {
type = loaOf (submodule peerOpts);
description = "A list of peers allowed to connect.";
type = loaOf str;
description = "A map of peers to shared private keys.";
default = {};
example = {
peer0 = {
public-key = "xyz";
allowed-ips = ["10.100.1.0/24"];
};
peer0 = "/path/to/priv.key";
};
};
};
config = mkIf cfg.enable {
environment.etc = let
peer-data = imap1 (i: peer:{
name = peer.name;
privkey-path = peer.privkey-path;
network-range = let
base = ip-util.intToIpv4
((ip-util.ipv4ToInt (ip-util.getNetworkBase cfg.network)) + (i * 256));
in "${base}/24";
}) (mapAttrsToList (name: privkey-path: {
name = name;
privkey-path = privkey-path;
}) cfg.peers);
server-pubkey-pkg = generate-pubkey-pkg "server-pubkey" (fileContents cfg.private-key-file);
server-pubkey = fileContents "${server-pubkey-pkg}/pubkey.key";
in listToAttrs
(map (peer: nameValuePair "wireguard/clients/${peer.name}.conf" {
mode = "0400";
user = "root";
group = "root";
text = generate-client-config
peer.privkey-path
server-pubkey
peer.network-range
cfg.server-ip
cfg.listen-port
cfg.dns-servers;
}) peer-data);
networking.wireguard = {
enable = true;
interfaces.wgtun0 = {
generatePrivateKeyFile = false;
ips = [ cfg.ips ];
ips = [ cfg.network ];
listenPort = cfg.listen-port;
peers = mapAttrsToList (peer-name: peer-config: {
publicKey = peer-config.public-key;
allowedIPs = peer-config.allowed-ips;
}) cfg.peers;
peers = mapAttrsToList
(name: private-key: generate-peer-entry name private-key ["0.0.0.0/0" "::/0"])
cfg.peers;
privateKeyFile = cfg.private-key-file;
};
};

48
hosts/procul.nix
View File

@ -31,10 +31,6 @@ in {
../informis/users.nix
];
environment.systemPackages = with pkgs; [
multipath-tools
];
networking = {
hostName = hostname;
@ -110,6 +106,15 @@ in {
];
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
# Not all users need access to procul; don't allow LDAP-user access.
authentication.enable = false;
@ -214,15 +219,23 @@ in {
users = {
gituser = {
password = fileContents "/srv/git/secure/db.passwd";
password-file = "/srv/git/secure/db.passwd";
databases = {
git = "ALL PRIVILEGES";
git = {
access = "CONNECT";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
};
};
};
};
};
databases = {
git = ["niten"];
git = {
users = ["niten"];
};
};
};
@ -273,22 +286,15 @@ in {
};
fudo.vpn = {
enable = true;
ips = "10.100.0.0/16";
# fer some fuckin reason this sets the default gw to the vpn interface
enable = false;
network = "10.100.0.0/16";
server-ip = host_ipv4;
private-key-file = "/srv/wireguard/secure/secret.key";
peers = {
peter = {
allowed-ips = [ "10.100.1.0/24" ];
public-key = "d1NfRFWRkcKq2gxvqfMy7Oe+JFYf5DjomnsTyisvgB4=";
};
ken = {
allowed-ips = [ "10.100.2.0/24" ];
public-key = "y294rTCK0iSRhA6EIOErPzEuqzJMuYAG4XbHasySMVU=";
};
helen = {
allowed-ips = [ "10.100.3.0/24" ];
public-key = "7Hdko6RibhIYdoPLWXGwmElY5vKvZ+rURmqFTDUfC2w=";
};
peter = "/srv/wireguard/clients/peter.key";
ken = "/srv/wireguard/clients/ken.key";
helen = "/srv/wireguard/clients/helen.key";
};
};