diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 17f987d..198fa1a 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -108,7 +108,7 @@ in { enable = true; zones = { lan.interfaces = ["br-lan"]; - wan.interfaces = ["wan"]; + wan.interfaces = ["wan" "lan0"]; }; rules = { lan = { @@ -130,6 +130,12 @@ in { incoming-wan = { from = ["wan"]; to = ["fw"]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; verdict = "drop"; }; }; @@ -150,14 +156,6 @@ in { }; networks = { # Connect the bridge ports to the bridge - "30-lan0" = { - matchConfig.Name = "lan0"; - networkConfig = { - Bridge = "br-lan"; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - }; "30-lan1" = { matchConfig.Name = "lan1"; networkConfig = { @@ -195,6 +193,22 @@ in { # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min linkConfig.RequiredForOnline = "no"; }; + # use lan0 as secondary WAN interface + "10-lan0-wan" = { + matchConfig.Name = "lan0"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + }; "10-wan" = { matchConfig.Name = "wan"; networkConfig = { @@ -216,7 +230,9 @@ in { # wireless access point services.hostapd = { enable = true; - radios = { + radios = let + mkBssid = i: "34:56:ce:0f:ed:4${builtins.toString i}"; + in { wlan0 = { band = "2g"; countryCode = "CH"; @@ -234,12 +250,15 @@ in { mode = "wpa3-sae"; # saePasswordsFile = config.sops.secrets.wifiPassword.path; saePasswords = [ - {password = "justtestingwifi";} + { + password = "justtestingwifi"; + # vlanid = 100; + } ]; }; # generated with https://miniwebtool.com/mac-address-generator/ - bssid = "34:56:ce:0f:ed:40"; + bssid = mkBssid 0; settings = { bridge = "br-lan"; }; @@ -251,13 +270,19 @@ in { mode = "wpa3-sae-transition"; # saePasswordsFile = config.sops.secrets.wifiPassword.path; saePasswords = [ - {password = "justtestingwifi";} + { + password = "justtestingwifi"; + # vlanid = 100; + } ]; - wpaPassword = "justtestingwifi"; + wpaPskFile = pkgs.writeText "pskfile" '' + 00:00:00:00:00:00 justtestingwifi + # vlanid=100 00:00:00:00:00:00 justtestingwifi-vlan + ''; }; # generated with https://miniwebtool.com/mac-address-generator/ - bssid = "34:56:ce:0f:ed:41"; + bssid = mkBssid 1; settings = { bridge = "br-lan"; }; @@ -392,9 +417,9 @@ in { domain = "lan"; expand-hosts = true; - # don't use /etc/hosts as this would advertise surfer as localhost + # don't use /etc/hosts as this would advertise ${nodeName} as localhost no-hosts = true; - address = "/surfer.lan/192.168.10.1"; + address = "/${nodeName}.lan/192.168.10.1"; }; }; diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index 9ad07a0..3d42ef9 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -120,48 +120,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691654369, - "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", - "owner": "nixos", + "lastModified": 1691788113, + "narHash": "sha256-h5dnmk0QMQI+WkP7ZGbqusr7GfeXOrYCzO7BoZpSGJ0=", + "owner": "steveej-forks", "repo": "nixpkgs", - "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e", + "rev": "f358ddb768fad528772ae3faf786337fe89a7568", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1691753935, - "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "650596759b8b38399a0c4d5e366847d190360e55", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1691703261, - "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", + "owner": "steveej-forks", + "ref": "hostapd-fix", "repo": "nixpkgs", "type": "github" } @@ -174,8 +142,6 @@ "home-manager": "home-manager", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable", "srvos": "srvos" } }, diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index c934242..32748fb 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -1,9 +1,7 @@ { inputs = { - # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-master.url = "github:nixos/nixpkgs/master"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:steveej-forks/nixpkgs/hostapd-fix"; get-flake.url = "github:ursi/get-flake"; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index afba434..35a196e 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -3,8 +3,11 @@ lib, config, repoFlake, + nodeName, ... -}: { +}: let + wireguardPort = 51820; +in { networking.firewall.enable = true; networking.nftables.enable = true; @@ -12,6 +15,10 @@ # iperf3 5201 ]; + networking.firewall.allowedUDPPorts = [ + wireguardPort + ]; + networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; @@ -54,7 +61,7 @@ networking.nat = { enable = true; - internalInterfaces = ["ve-*"]; + internalInterfaces = ["ve-*" "wg*"]; externalInterface = "eth0"; }; @@ -64,6 +71,28 @@ meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; ''; + sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + networking.wireguard.enable = true; + networking.wireguard.interfaces.wg0 = { + # eth0 MTU (1400) - 80 + mtu = 1320; + ips = [ + "192.168.99.1/31" + ]; + listenPort = + wireguardPort; + privateKeyFile = config.sops.secrets.wg0-private.path; + peers = [ + { + allowedIPs = ["192.168.99.2/32"]; + publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; + presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; + } + ]; + }; + # virtualization virtualisation = {docker.enable = false;}; diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 13ad7d2..078e0fe 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -36,6 +36,9 @@ in { } ]; + # needed to make wireguard managed by networkmanager route all traffic through it + networking.firewall.checkReversePath = false; + networking.firewall.enable = true; services.openssh.openFirewall = false; @@ -93,6 +96,12 @@ in { services.samba.extraConfig = '' # client min protocol = NT1 ''; + services.gvfs = { + enable = true; + package = lib.mkForce pkgs.gnome3.gvfs; + }; + environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml index 6f888b6..5eba76e 100644 --- a/secrets/sj-vps-htz0/secrets.yaml +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -1,5 +1,9 @@ #ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] +wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] +wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] +wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +19,8 @@ sops: czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-11T16:32:20Z" - mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str] + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] pgp: - created_at: "2023-08-11T16:31:41Z" enc: |-