diff options
-rw-r--r-- | makefu/1systems/gum/config.nix | 60 | ||||
-rw-r--r-- | makefu/1systems/hardware/tsp-disk.json | 23 | ||||
-rw-r--r-- | makefu/1systems/omo/config.nix | 226 | ||||
-rw-r--r-- | makefu/1systems/omo/hw/omo.nix | 117 | ||||
-rw-r--r-- | makefu/1systems/omo/hw/tsp-tools.nix | 11 | ||||
-rw-r--r-- | makefu/1systems/omo/hw/tsp.nix | 32 | ||||
-rw-r--r-- | makefu/2configs/dcpp/client.nix | 9 | ||||
-rw-r--r-- | makefu/2configs/dcpp/hub.nix (renamed from makefu/2configs/hub.nix) | 26 | ||||
-rw-r--r-- | makefu/2configs/deployment/homeautomation/default.nix | 61 | ||||
-rw-r--r-- | makefu/2configs/wireguard/server.nix | 52 |
10 files changed, 344 insertions, 273 deletions
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 351844482..36af23bb5 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -74,14 +74,8 @@ in { <stockholm/makefu/2configs/syncthing.nix> # <stockholm/makefu/2configs/opentracker.nix> - <stockholm/makefu/2configs/hub.nix> - { # ncdc - environment.systemPackages = [ pkgs.ncdc ]; - networking.firewall = { - allowedUDPPorts = [ 51411 ]; - allowedTCPPorts = [ 51411 ]; - }; - } + <stockholm/makefu/2configs/dcpp/hub.nix> + <stockholm/makefu/2configs/dcpp/client.nix> <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> @@ -103,55 +97,7 @@ in { # locations."/".proxyPass = "http://localhost:5000"; # }; #} - { # wireguard server - - # opkg install wireguard luci-proto-wireguard - - # TODO: networking.nat - - # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - # conf.all.proxy_arp =1 - networking.firewall = { - allowedUDPPorts = [ 51820 ]; - extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE - ''; - }; - - networking.wireguard.interfaces.wg0 = { - ips = [ "10.244.0.1/24" ]; - listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wireguard.key"; - allowedIPsAsRoutes = true; - peers = [ - { - # x - allowedIPs = [ "10.244.0.2/32" ]; - publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; - } - { - # vbob - allowedIPs = [ "10.244.0.3/32" ]; - publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; - } - { - # x-test - allowedIPs = [ "10.244.0.4/32" ]; - publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; - } - { - # work-router - allowedIPs = [ "10.244.0.5/32" ]; - publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; - } - { - # workr - allowedIPs = [ "10.244.0.6/32" ]; - publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; - } - ]; - }; - } + <stockholm/makefu/2configs/wireguard/server.nix> { # iperf3 networking.firewall.allowedUDPPorts = [ 5201 ]; networking.firewall.allowedTCPPorts = [ 5201 ]; diff --git a/makefu/1systems/hardware/tsp-disk.json b/makefu/1systems/hardware/tsp-disk.json new file mode 100644 index 000000000..5a4bd26ab --- /dev/null +++ b/makefu/1systems/hardware/tsp-disk.json @@ -0,0 +1,23 @@ +{ + "type": "devices", + "content": { + "sda": { + "type": "table", + "format": "msdos", + "partitions": [ + { "type": "partition", + "part-type": "primary", + "start": "1M", + "end": "100%", + "bootable": true, + "content": { + "type": "filesystem", + "format": "ext4", + "mountpoint": "/" + } + } + ] + } + } +} + diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 109877bf1..47e815e77 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -4,52 +4,17 @@ { config, pkgs, lib, ... }: let - toMapper = id: "/media/crypt${builtins.toString id}"; - byid = dev: "/dev/disk/by-id/" + dev; - keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; - rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; - rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; - primaryInterface = "enp2s0"; - firetv = "192.168.1.238"; - # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 - # cryptsetup luksAddKey $dev tmpkey - # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 - # mkfs.xfs /dev/mapper/crypt0 -L crypt0 - - # omo Chassis: - # __FRONT_ - # |* d0 | - # | | - # |* d1 | - # | | - # |* d3 | - # | | - # |* | - # |* d2 | - # | * | - # | * | - # |_______| - # cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; - cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV"; - cryptDisk1 = byid "ata-TP02000GB_TPW151006050068"; - cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; - cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4"; - # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907"; - # all physical disks - - # TODO callPackage ../3modules/MonitorDisks { disks = allDisks } - dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ]; - allDisks = [ rootDisk ] ++ dataDisks; + primaryInterface = config.makefu.server.primary-itf; in { imports = [ + #./hw/omo.nix + ./hw/tsp.nix <stockholm/makefu> - # TODO: unlock home partition via ssh - <stockholm/makefu/2configs/fs/sda-crypto-root.nix> <stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/backup.nix> <stockholm/makefu/2configs/exim-retiolum.nix> - <stockholm/makefu/2configs/smart-monitor.nix> + # <stockholm/makefu/2configs/smart-monitor.nix> <stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mosh.nix> <stockholm/makefu/2configs/tools/mobility.nix> @@ -78,6 +43,7 @@ in { <stockholm/makefu/2configs/deployment/google-muell.nix> <stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix> + <stockholm/makefu/2configs/deployment/homeautomation> { hardware.pulseaudio.systemWide = true; makefu.mpd.musicDirectory = "/media/cryptX/music"; @@ -99,74 +65,9 @@ in { # Temporary: # <stockholm/makefu/2configs/temp/rst-issue.nix> - { # ncdc - environment.systemPackages = [ pkgs.ncdc ]; - networking.firewall = { - allowedUDPPorts = [ 51411 ]; - allowedTCPPorts = [ 51411 ]; - }; - } - { - systemd.services.firetv = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; - }; - }; - nixpkgs.config.permittedInsecurePackages = [ - "homeassistant-0.65.5" - ]; - services.home-assistant = { - config = { - homeassistant = { - name = "Home"; time_zone = "Europe/Berlin"; - latitude = "48.7687"; - longitude = "9.2478"; - }; - media_player = [ - { platform = "kodi"; - host = firetv; - } - { platform = "firetv"; - # assumes python-firetv running - } - ]; - sensor = [ - { platform = "luftdaten"; - name = "Ditzingen"; - sensorid = "663"; - monitored_conditions = [ "P1" "P2" ]; - } - # https://www.home-assistant.io/cookbook/automation_for_rainy_days/ - { platform = "darksky"; - api_key = "c73619e6ea79e553a585be06aacf3679"; - language = "de"; - monitored_conditions = [ "summary" "icon" - "nearest_storm_distance" "precip_probability" - "precip_intensity" - "temperature" # "temperature_high" "temperature_low" - "hourly_summary" - "uv_index" ]; - units = "si" ; - update_interval = { - days = 0; - hours = 0; - minutes = 10; - seconds = 0; - }; - } - ]; - frontend = { }; - http = { }; - }; - enable = true; - #configDir = "/var/lib/hass"; - }; - } + ]; makefu.full-populate = true; - makefu.server.primary-itf = primaryInterface; krebs.rtorrent = { downloadDir = lib.mkForce "/media/cryptX/torrent"; extraConfig = '' @@ -178,18 +79,6 @@ in { members = [ "makefu" "misa" ]; }; networking.firewall.trustedInterfaces = [ primaryInterface ]; - # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net - # tcp:80 - nginx for sharing files - # tcp:655 udp:655 - tinc - # tcp:8111 - graphite - # tcp:8112 - pyload - # tcp:9090 - sabnzbd - # tcp:9200 - elasticsearch - # tcp:5601 - kibana - networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; - - # services.openssh.allowSFTP = false; # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/ services.sabnzbd.enable = true; @@ -199,90 +88,11 @@ in { enable = true; servedir = "/media/cryptX/emu/ps3"; }; - # HDD Array stuff - services.smartd.devices = builtins.map (x: { device = x; }) allDisks; - - makefu.snapraid = { - enable = true; - # TODO: 3 is not protected - disks = map toMapper [ 0 1 ]; - parity = toMapper 2; - }; - - # TODO create folders in /media - system.activationScripts.createCryptFolders = '' - ${lib.concatMapStringsSep "\n" - (d: "install -m 755 -d " + (toMapper d) ) - [ 0 1 2 "X" ]} - ''; - environment.systemPackages = with pkgs;[ - mergerfs # hard requirement for mount - wol # wake up filepimp - f3 - ]; - fileSystems = let - cryptMount = name: - { "/media/${name}" = { - device = "/dev/mapper/${name}"; fsType = "xfs"; - options = [ "nofail" ]; - };}; - in cryptMount "crypt0" - // cryptMount "crypt1" - // cryptMount "crypt2" - // cryptMount "crypt3" - // { "/media/cryptX" = { - device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]); - fsType = "mergerfs"; - noCheck = true; - options = [ "defaults" "allow_other" "nofail" "nonempty" ]; - }; - }; - - powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' - ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} - ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} - ${pkgs.hdparm}/sbin/hdparm -y ${disk} - '') allDisks); - # crypto unlocking - boot = { - initrd.luks = { - devices = let - usbkey = name: device: { - inherit name device keyFile; - keyFileSize = 4096; - allowDiscards = true; - }; - in [ - (usbkey "luksroot" rootPartition) - (usbkey "crypt0" cryptDisk0) - (usbkey "crypt1" cryptDisk1) - (usbkey "crypt2" cryptDisk2) - (usbkey "crypt3" cryptDisk3) - ]; - }; - loader.grub.device = lib.mkForce rootDisk; - - initrd.availableKernelModules = [ - "ahci" - "ohci_pci" - "ehci_pci" - "pata_atiixp" - "firewire_ohci" - "usb_storage" - "usbhid" - ]; - - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - }; users.users.misa = { uid = 9002; name = "misa"; }; - # hardware.enableAllFirmware = true; - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; @@ -290,23 +100,23 @@ in { nickname = "Reaktor|shack"; workdir = "/var/lib/Reaktor/shack"; channels = [ "#shackspace" ]; - plugins = with pkgs.ReaktorPlugins;[ - shack-correct - # stockholm-issue - sed-plugin - random-emoji ]; + plugins = with pkgs.ReaktorPlugins; + [ shack-correct + # stockholm-issue + sed-plugin + random-emoji ]; }; krebs.Reaktor.reaktor-bgt = { nickname = "Reaktor|bgt"; workdir = "/var/lib/Reaktor/bgt"; channels = [ "#binaergewitter" ]; - plugins = with pkgs.ReaktorPlugins;[ - titlebot - # stockholm-issue - nixos-version - shack-correct - sed-plugin - random-emoji ]; + plugins = with pkgs.ReaktorPlugins; + [ titlebot + # stockholm-issue + nixos-version + shack-correct + sed-plugin + random-emoji ]; }; krebs.build.host = config.krebs.hosts.omo; diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix new file mode 100644 index 000000000..1b618a486 --- /dev/null +++ b/makefu/1systems/omo/hw/omo.nix @@ -0,0 +1,117 @@ +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; + rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; + rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; + primaryInterface = "enp2s0"; + # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 + # cryptsetup luksAddKey $dev tmpkey + # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 + # mkfs.xfs /dev/mapper/crypt0 -L crypt0 + + # omo Chassis: + # __FRONT_ + # |* d0 | + # | | + # |* d1 | + # | | + # |* d3 | + # | | + # |* | + # |* d2 | + # | * | + # | * | + # |_______| + # cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; + cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV"; + cryptDisk1 = byid "ata-TP02000GB_TPW151006050068"; + cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; + cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4"; + # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907"; + # all physical disks + + # TODO callPackage ../3modules/MonitorDisks { disks = allDisks } + dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ]; + allDisks = [ rootDisk ] ++ dataDisks; +in { + imports = + [ # TODO: unlock home partition via ssh + <stockholm/makefu/2configs/fs/sda-crypto-root.nix> ]; + makefu.server.primary-itf = primaryInterface; + system.activationScripts.createCryptFolders = '' + ${lib.concatMapStringsSep "\n" + (d: "install -m 755 -d " + (toMapper d) ) + [ 0 1 2 "X" ]} + ''; + + makefu.snapraid = { + enable = true; + # TODO: 3 is not protected + disks = map toMapper [ 0 1 ]; + parity = toMapper 2; + }; + fileSystems = let + cryptMount = name: + { "/media/${name}" = { + device = "/dev/mapper/${name}"; fsType = "xfs"; + options = [ "nofail" ]; + };}; + in cryptMount "crypt0" + // cryptMount "crypt1" + // cryptMount "crypt2" + // cryptMount "crypt3" + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]); + fsType = "mergerfs"; + noCheck = true; + options = [ "defaults" "allow_other" "nofail" "nonempty" ]; + }; + }; + + powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' + ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} + ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} + ${pkgs.hdparm}/sbin/hdparm -y ${disk} + '') allDisks); + + # crypto unlocking + boot = { + initrd.luks = { + devices = let + usbkey = name: device: { + inherit name device keyFile; + keyFileSize = 4096; + allowDiscards = true; + }; + in [ + (usbkey "luksroot" rootPartition) + (usbkey "crypt0" cryptDisk0) + (usbkey "crypt1" cryptDisk1) + (usbkey "crypt2" cryptDisk2) + (usbkey "crypt3" cryptDisk3) + ]; + }; + loader.grub.device = lib.mkForce rootDisk; + + initrd.availableKernelModules = [ + "ahci" + "ohci_pci" + "ehci_pci" + "pata_atiixp" + "firewire_ohci" + "usb_storage" + "usbhid" + ]; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + environment.systemPackages = with pkgs;[ + mergerfs # hard requirement for mount + ]; + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; +} + diff --git a/makefu/1systems/omo/hw/tsp-tools.nix b/makefu/1systems/omo/hw/tsp-tools.nix new file mode 100644 index 000000000..6579edd9d --- /dev/null +++ b/makefu/1systems/omo/hw/tsp-tools.nix @@ -0,0 +1,11 @@ +let + disko = import (builtins.fetchGit { + url = https://cgit.lassul.us/disko/; + rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe"; + }); + + cfg = builtins.fromJSON (builtins.readFile ../../hardware/tsp-disk.json); +in '' +${disko.create cfg} +${disko.mount cfg} +'' diff --git a/makefu/1systems/omo/hw/tsp.nix b/makefu/1systems/omo/hw/tsp.nix new file mode 100644 index 000000000..4af0d73fc --- /dev/null +++ b/makefu/1systems/omo/hw/tsp.nix @@ -0,0 +1,32 @@ +{ pkgs, ... }: +with builtins; +let + disko = import (builtins.fetchGit { + url = https://cgit.lassul.us/disko/; + rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe"; + }); + cfg = fromJSON (readFile ../../hardware/tsp-disk.json); + primaryInterface = "enp1s0"; + rootDisk = "/dev/sda"; # TODO same as disko uses +in { + imports = [ + (disko.config cfg) + ]; + makefu.server.primary-itf = primaryInterface; + boot = { + loader.grub.device = rootDisk; + + initrd.availableKernelModules = [ + "ahci" + "ohci_pci" + "ehci_pci" + "pata_atiixp" + "firewire_ohci" + "usb_storage" + "usbhid" + ]; + + kernelModules = [ "kvm-intel" ]; + }; + +} diff --git a/makefu/2configs/dcpp/client.nix b/makefu/2configs/dcpp/client.nix new file mode 100644 index 000000000..3b27778e5 --- /dev/null +++ b/makefu/2configs/dcpp/client.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ # ncdc + environment.systemPackages = [ pkgs.ncdc ]; + networking.firewall = { + allowedUDPPorts = [ 51411 ]; + allowedTCPPorts = [ 51411 ]; + }; +} + diff --git a/makefu/2configs/hub.nix b/makefu/2configs/dcpp/hub.nix index a121157d4..92977b4c8 100644 --- a/makefu/2configs/hub.nix +++ b/makefu/2configs/dcpp/hub.nix @@ -30,6 +30,7 @@ let '') dict)} ''; + uhubDir = "/var/lib/uhub"; in { users.extraUsers = singleton { @@ -65,22 +66,31 @@ in { PrivateTmp = true; PermissionsStartOnly = true; ExecStartPre = pkgs.writeDash "uhub-pre" '' - cp ${toString <secrets/wildcard.krebsco.de.crt>} /tmp/uhub.crt - cp ${toString <secrets/wildcard.krebsco.de.key>} /tmp/uhub.key - cp ${toString <secrets/uhub.sql>} /tmp/uhub.sql - chown uhub /tmp/* + cp -f ${toString <secrets/wildcard.krebsco.de.crt>} ${uhubDir}/uhub.crt + cp -f ${toString <secrets/wildcard.krebsco.de.key>} ${uhubDir}/uhub.key + if test -d ${uhubDir};then + echo "Directory ${uhubDir} already exists, skipping db init" + else + echo "Copying sql user db" + cp ${toString <secrets/uhub.sql>} ${uhubDir}/uhub.sql + fi + chown -R uhub ${uhubDir} ''; }; + users.users.uhub = { + home = uhubDir; + createHome = true; + }; services.uhub = { enable = true; port = 1511; enableTLS = true; hubConfig = '' hub_name = "krebshub" - tls_certificate = /tmp/uhub.crt - tls_private_key = /tmp/uhub.key - registered_users_only = true + tls_certificate = ${uhubDir}/uhub.crt + tls_private_key = ${uhubDir}/uhub.key + registered_users_only = true ''; plugins = { welcome = { @@ -93,7 +103,7 @@ in { }; authSqlite = { enable = true; - file = "/tmp/uhub.sql"; + file = "${uhubDir}/uhub.sql"; }; }; diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix new file mode 100644 index 000000000..1f935e2f8 --- /dev/null +++ b/makefu/2configs/deployment/homeautomation/default.nix @@ -0,0 +1,61 @@ +{ pkgs, config, ... }: +let + firetv = "192.168.1.238"; +in { + systemd.services.firetv = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; + ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; + }; + }; + nixpkgs.config.permittedInsecurePackages = [ + "homeassistant-0.65.5" + ]; + services.home-assistant = { + config = { + homeassistant = { + name = "Home"; time_zone = "Europe/Berlin"; + latitude = "48.7687"; + longitude = "9.2478"; + }; + media_player = [ + { platform = "kodi"; + host = firetv; + } + { platform = "firetv"; + # assumes python-firetv running + } + ]; + sensor = [ + { platform = "luftdaten"; + name = "Ditzingen"; + sensorid = "663"; + monitored_conditions = [ "P1" "P2" ]; + } + # https://www.home-assistant.io/cookbook/automation_for_rainy_days/ + { platform = "darksky"; + api_key = "c73619e6ea79e553a585be06aacf3679"; + language = "de"; + monitored_conditions = [ "summary" "icon" + "nearest_storm_distance" "precip_probability" + "precip_intensity" + "temperature" # "temperature_high" "temperature_low" + "hourly_summary" + "uv_index" ]; + units = "si" ; + update_interval = { + days = 0; + hours = 0; + minutes = 10; + seconds = 0; + }; + } + ]; + frontend = { }; + http = { }; + }; + enable = true; + #configDir = "/var/lib/hass"; + }; +} diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix new file mode 100644 index 000000000..e38fa05cb --- /dev/null +++ b/makefu/2configs/wireguard/server.nix @@ -0,0 +1,52 @@ +{ config, ... }: +let + ext-if = config.makefu.server.primary-itf; +in { # wireguard server + + # opkg install wireguard luci-proto-wireguard + + # TODO: networking.nat + + # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + # conf.all.proxy_arp =1 + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE + ''; + }; + + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.0.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # x + allowedIPs = [ "10.244.0.2/32" ]; + publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; + } + { + # vbob + allowedIPs = [ "10.244.0.3/32" ]; + publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; + } + { + # x-test + allowedIPs = [ "10.244.0.4/32" ]; + publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; + } + { + # work-router + allowedIPs = [ "10.244.0.5/32" ]; + publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; + } + { + # workr + allowedIPs = [ "10.244.0.6/32" ]; + publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; + } + ]; + }; +} |