diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 686d3b5..0c51354 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -211,7 +211,7 @@ in { vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; wan.interfaces = ["wan" "lan0"]; - wg.interfaces = ["wg0"]; + wg.interfaces = ["wg0" "wg1"]; } // # generate a zone for each vlan @@ -363,7 +363,7 @@ in { systemd.network = { wait-online.anyInterface = true; netdevs = let - router0-nmfk_wgEndpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${ + router0-nmfk_wg0Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${ builtins.toString repoFlake .nixosConfigurations @@ -376,6 +376,20 @@ in { .wireguardConfig .ListenPort }"; + + router0-nmfk_wg1Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${ + builtins.toString + repoFlake + .nixosConfigurations + .router0-nfmnk + .config + .systemd + .network + .netdevs + .wg1 + .wireguardConfig + .ListenPort + }"; in { # Create the bridge interface @@ -402,45 +416,47 @@ in { }; wireguardConfig = { PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 100; }; wireguardPeers = [ { wireguardPeerConfig = { AllowedIPs = [ - "10.0.0.254/32" + "10.0.0.0/32" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-nmfk_wgEndpoint; + Endpoint = router0-nmfk_wg0Endpoint; }; } ]; }; - # wg1 = { - # enable = true; - # netdevConfig = { - # Name = "wg1"; - # Kind = "wireguard"; - # }; - # wireguardConfig = { - # PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - # }; - # wireguardPeers = [ - # { - # wireguardPeerConfig = { - # AllowedIPs = [ - # "10.0.0.254/32" - # ]; - # PersistentKeepalive = 15; - # PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - # PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - # Endpoint = "${router0-nmfk_variables.ipv4}:51820"; - # }; - # } - # ]; - # }; + wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + FirewallMark = 101; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.2/32" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-nmfk_wg1Endpoint; + }; + } + ]; + }; } # generate the vlan devices. these will be tagged on the main bridge // builtins.foldl' @@ -471,6 +487,48 @@ in { ); networks = { + # places options here that should always exist + "lo" = { + matchConfig.Name = "lo"; + + # these are roughly equivalent to: + # ip rule add fwmark 100 priority 0 table 100 + # ip rule add fwmark 100 priority 1 prohibit + # ip rule add fwmark 101 priority 0 table 101 + # ip rule add fwmark 101 priority 1 prohibit + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + FirewallMark = 101; + Priority = 30000; + Table = 101; + }; + } + { + routingPolicyRuleConfig = { + FirewallMark = 101; + Priority = 30001; + Table = 101; + Type = "prohibit"; + }; + } + { + routingPolicyRuleConfig = { + FirewallMark = 100; + Priority = 30000; + Table = 100; + }; + } + { + routingPolicyRuleConfig = { + FirewallMark = 100; + Priority = 30001; + Table = 100; + Type = "prohibit"; + }; + } + ]; + }; # use lan0 as secondary WAN interface "10-lan0-wan" = { matchConfig.Name = "lan0"; @@ -484,8 +542,18 @@ in { IPv6PrivacyExtensions = false; IPForward = true; }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min linkConfig.RequiredForOnline = "no"; + + # similar to + # ip route add default via 172.16.0.1 table 101 + routes = [ + { + routeConfig = { + Gateway = "_dhcp4"; + Table = 101; + }; + } + ]; }; "10-wan" = { matchConfig.Name = "wan"; @@ -500,7 +568,19 @@ in { IPForward = true; }; # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + # similar to + # ip route add default via 192.168.0.1 table 100 + routes = [ + { + routeConfig = { + Gateway = "_dhcp4"; + Table = 100; + }; + } + ]; }; # Connect the bridge ports to the bridge @@ -594,16 +674,16 @@ in { enable = true; matchConfig.Name = "wg0"; address = [ - "10.0.0.1/24" + "10.0.0.1/31" + ]; + }; + "50-wg1" = { + enable = true; + matchConfig.Name = "wg1"; + address = [ + "10.0.0.3/31" ]; }; - # "50-wg1" = { - # enable = true; - # matchConfig.Name = "wg1"; - # address = [ - # "10.0.0.2/24" - # ]; - # }; } # configuration for the hostapd dynamic interfaces # * netdev type vlan @@ -1138,6 +1218,10 @@ in { pkgs.ethtool pkgs.neovim + pkgs.wireguard-tools + pkgs.tshark + pkgs.tmux + (pkgs.writeShellScriptBin "dbg-ip" '' echo links: ip -br -c l diff --git a/nix/os/devices/router0-nfmnk/configuration.nix b/nix/os/devices/router0-nfmnk/configuration.nix index eb0fe49..2864383 100644 --- a/nix/os/devices/router0-nfmnk/configuration.nix +++ b/nix/os/devices/router0-nfmnk/configuration.nix @@ -147,8 +147,12 @@ # these will be configured via nftables firewall.enable = lib.mkForce true; + firewall.allowedTCPPorts = [ + 5201 + ]; firewall.allowedUDPPorts = [ config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort ]; nat = { @@ -170,7 +174,7 @@ interfaces = ["eth0"]; }; zones.vpns = { - interfaces = ["wg0"]; + interfaces = ["wg0" "wg1"]; }; }; }; @@ -184,7 +188,11 @@ mode = "440"; group = "systemd-network"; }; - sops.secrets.wg0-peer1-psk = { + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { mode = "440"; group = "systemd-network"; }; @@ -212,14 +220,27 @@ PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; }; } - + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ { wireguardPeerConfig = { AllowedIPs = [ - "10.0.0.2/32" + "10.0.0.3/31" ]; PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; }; } @@ -229,13 +250,24 @@ enable = true; matchConfig.Name = "wg0"; address = [ - "10.0.0.254/24" + "10.0.0.0/31" + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ + "10.0.0.2/31" ]; }; environment.systemPackages = [ pkgs.ethtool pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark (pkgs.writeShellScriptBin "dbg-ip" '' echo links: diff --git a/secrets/router0-nfmnk/secrets.yaml b/secrets/router0-nfmnk/secrets.yaml index df7d851..20fc3f6 100644 --- a/secrets/router0-nfmnk/secrets.yaml +++ b/secrets/router0-nfmnk/secrets.yaml @@ -5,7 +5,9 @@ passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/Udyb wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg0-peer1-psk: ENC[AES256_GCM,data:l8H0bDF2XXq6W5sJCXHUEWqIJu7YvAyqhPaCEK/Dcviv7lnwvKNLxO55i10=,iv:ADAFkWG+cbqvqfwNdaHv7ONqFtWjmAhIf0hRFBW6X6c=,tag:hwsljm8GlcF9NeHHE5WTXg==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] sops: kms: [] gcp_kms: [] @@ -21,8 +23,8 @@ sops: cVlibElsOVR4RG15RTR3bnh0MVgvK3MKhaZLzdlPmFW04Qjk8V7Lkr2EZW8nZT4Z X3yM7cyoinI9N0zwfArXMnThp2u8w86romQ52e6oy7LCKeKqrLpQ+A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-25T19:21:33Z" - mac: ENC[AES256_GCM,data:zw79GU+OINSJWy0hHeV33ZOPkrxrRCyd31XpcbWAIkactRL4rumXhHWxcd5QAvmloFa8Rb7q6drRIu9kt7nXrr8+HK/xWoj+AxmXHFMEi6aC0xdhsyBfl7+Jq3SRTUf6tHFxyHVRVWyZXnhV59xf2Vwmy3R5/0vq50c8UQ8vJww=,iv:czqwgGcLXR+FyXpTuuXIH8pF/P1s1FrZxtqI3joLZCg=,tag:DUq+cACVStNX6u8LfYIQTw==,type:str] + lastmodified: "2024-05-26T17:23:41Z" + mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] pgp: - created_at: "2024-05-25T18:38:40Z" enc: |-