sif: wgrz

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 16:42:35 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 16:42:35 +0100
commit: 93f07176317920ee881773519ee342f9c62ab9c9 (patch)
tree: 8876150049c83ac8257ac13e191f46fcef10c242 /hosts
parent: 5c02818571f5dbc93b0f848514dd4b55530f73c2 (diff)
download: nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar
nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.gz
nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.bz2
nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.xz
nixos-93f07176317920ee881773519ee342f9c62ab9c9.zip
3 files changed, 125 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 9418159c..07ba564d 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
 { flake, pkgs, customUtils, lib, config, path, ... }:
-{
+let
+  mwnSubnetsPublic =
+    [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
+      "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
+      "193.174.96.0/22"
+      "194.95.59.0/24"
+    ];
+  mwnSubnetsPrivate =
+    [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
+    ];
+in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
    ./mail
@@ -104,6 +114,93 @@
        server=/sif.libvirt/192.168.122.1
      '';
    };
+    environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
+      text = ''
+        server=/mathinst.loc/10.153.88.9
+        server=/cipmath.loc/10.153.88.9
+      '';
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=wgrz:1025
+      '';
+    };
+    systemd.network = {
+      netdevs = {
+        wgrz = {
+          netdevConfig = {
+            Name = "wgrz";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.wgrz.path;
+            ListenPort = 51822;
+            # FirewallMark = 1;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
+                PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
+                PersistentKeepalive = 25;
+                Endpoint = "wg.math.lmu.de:51820";
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        wgrz = {
+          name = "wgrz";
+          matchConfig = {
+            Name = "wgrz";
+          };
+          address = ["10.200.116.128/24"];
+          routes = map (Destination: { routeConfig = {
+            inherit Destination;
+            Gateway = "10.200.116.1";
+            GatewayOnLink = true;
+            Table = "wgrz";
+          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          routingPolicyRules = [
+            { routingPolicyRuleConfig = {
+                Table = "main";
+                # FirewallMark = 1;
+                To = "129.187.111.225";
+                Priority = 100;
+              };
+            }
+            { routingPolicyRuleConfig = {
+                Table = "wgrz";
+                From = "10.200.116.128";
+                Priority = 200;
+              };
+            }
+          ] ++ map (To: { routingPolicyRuleConfig = {
+                            Table = "wgrz";
+                            inherit To;
+                            Priority = 200;
+                          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+            DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
+          };
+        };
+      };
+    };
+    sops.secrets.wgrz = {
+      format = "binary";
+      sopsFile = ./wgrz/privkey;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    networking.networkmanager.unmanaged = ["wgrz"];
    services.resolved.enable = false;
diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey
new file mode 100644
index 00000000..c17f3415
--- /dev/null
+++ b/hosts/sif/wgrz/privkey
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:NI7dmXZQbemNWeF2q+7uFKXzuwdIJTMP6TN8eQD/cdxbLmDTp8zFz0E05zB0,iv:5l9XH2EZc3amlz/tjPc/T4z6ojLStHJQX0xXdqG2goE=,tag:zM6/ykgBtmZEVpniVNKM0Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-03T14:44:50Z",
+                "mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-03T14:44:49Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAM+OkIgQ+f3RN3I3Hmxg+KXwClm2G1vMDuPGRmA1X2zIw\nJKdwmkNX57Xa6KVOqOMwIt4GJxZe0ZOs5v9l3fcULpSZe9WZf3uQKHU27iU4SZDy\n0l4BT3EoOwoE4qKEQWlHBLCctHsIekfaelvztqKZBc/xulCbske5ccsqtpmBhSXc\niM7ZHvhf9/FgKmqAX/X8wpyVm5Ws/54sWeucXNx8r3s1BScUcyAopjlvvdKRcSgj\n=0sBo\n-----END PGP MESSAGE-----\n",
+                                "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
+                        },
+                        {
+                                "created_at": "2022-02-03T14:44:49Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAzkA7oGeASZcoz766pAaGRLJfbk2iS+mvPZLVFVMDdF4w\nMMrVGjowWKqWi7tq63g66caN7fPaBSVkQsEnIy7Ad5dopKXYl4Jab7nHVHo1wK2i\n0l4BqxfNxDENQ28qjnhUOR9qRm/tGkVhOmzsEm398fGOSUXoVc5fZDo8xddx+ohk\nPnSjOaQYlDjCepWeRilcsMGvhVJEj41TPyWeKG6boJ/x4dUTLpGc5oMydyHRxUeZ\n=0KFU\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/sif/wgrz/pubkey b/hosts/sif/wgrz/pubkey
new file mode 100644
index 00000000..4ba48f43
--- /dev/null
+++ b/hosts/sif/wgrz/pubkey
@@ -0,0 +1 @@
+Q7NpJD4Uakammo+Fp/uTsJtOULkDgtrD3DVbBeW3rm4=
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 16:42:35 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 16:42:35 +0100
commit	93f07176317920ee881773519ee342f9c62ab9c9 (patch)
tree	8876150049c83ac8257ac13e191f46fcef10c242 /hosts
parent	5c02818571f5dbc93b0f848514dd4b55530f73c2 (diff)
download	nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.gz nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.bz2 nixos-93f07176317920ee881773519ee342f9c62ab9c9.tar.xz nixos-93f07176317920ee881773519ee342f9c62ab9c9.zip

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
1	{ flake, pkgs, customUtils, lib, config, path, ... }:	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
2	{	2	let
		3	mwnSubnetsPublic =
		4	[ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
		5	"192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
		6	"193.174.96.0/22"
		7	"194.95.59.0/24"
		8	];
		9	mwnSubnetsPrivate =
		10	[ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
		11	];
		12	in {
3	imports = with flake.nixosModules.systemProfiles; [	13	imports = with flake.nixosModules.systemProfiles; [
4	./hw.nix	14	./hw.nix
5	./mail	15	./mail
@@ -104,6 +114,93 @@
104	server=/sif.libvirt/192.168.122.1	114	server=/sif.libvirt/192.168.122.1
105	'';	115	'';
106	};	116	};
		117	environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
		118	text = ''
		119	server=/mathinst.loc/10.153.88.9
		120	server=/cipmath.loc/10.153.88.9
		121	'';
		122	};
		123
		124	environment.etc."systemd/networkd.conf" = {
		125	text = ''
		126	[Network]
		127	RouteTable=wgrz:1025
		128	'';
		129	};
		130	systemd.network = {
		131	netdevs = {
		132	wgrz = {
		133	netdevConfig = {
		134	Name = "wgrz";
		135	Kind = "wireguard";
		136	};
		137	wireguardConfig = {
		138	PrivateKeyFile = config.sops.secrets.wgrz.path;
		139	ListenPort = 51822;
		140	# FirewallMark = 1;
		141	};
		142	wireguardPeers = [
		143	{ wireguardPeerConfig = {
		144	AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
		145	PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
		146	PersistentKeepalive = 25;
		147	Endpoint = "wg.math.lmu.de:51820";
		148	};
		149	}
		150	];
		151	};
		152	};
		153	networks = {
		154	wgrz = {
		155	name = "wgrz";
		156	matchConfig = {
		157	Name = "wgrz";
		158	};
		159	address = ["10.200.116.128/24"];
		160	routes = map (Destination: { routeConfig = {
		161	inherit Destination;
		162	Gateway = "10.200.116.1";
		163	GatewayOnLink = true;
		164	Table = "wgrz";
		165	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		166	routingPolicyRules = [
		167	{ routingPolicyRuleConfig = {
		168	Table = "main";
		169	# FirewallMark = 1;
		170	To = "129.187.111.225";
		171	Priority = 100;
		172	};
		173	}
		174	{ routingPolicyRuleConfig = {
		175	Table = "wgrz";
		176	From = "10.200.116.128";
		177	Priority = 200;
		178	};
		179	}
		180	] ++ map (To: { routingPolicyRuleConfig = {
		181	Table = "wgrz";
		182	inherit To;
		183	Priority = 200;
		184	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		185	linkConfig = {
		186	RequiredForOnline = false;
		187	};
		188	networkConfig = {
		189	LLMNR = false;
		190	MulticastDNS = false;
		191	DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
		192	};
		193	};
		194	};
		195	};
		196	sops.secrets.wgrz = {
		197	format = "binary";
		198	sopsFile = ./wgrz/privkey;
		199	mode = "0640";
		200	owner = "root";
		201	group = "systemd-network";
		202	};
		203	networking.networkmanager.unmanaged = ["wgrz"];
107		204
108	services.resolved.enable = false;	205	services.resolved.enable = false;
109		206


diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey new file mode 100644 index 00000000..c17f3415 --- /dev/null +++ b/hosts/sif/wgrz/privkey
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:NI7dmXZQbemNWeF2q+7uFKXzuwdIJTMP6TN8eQD/cdxbLmDTp8zFz0E05zB0,iv:5l9XH2EZc3amlz/tjPc/T4z6ojLStHJQX0xXdqG2goE=,tag:zM6/ykgBtmZEVpniVNKM0Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-03T14:44:50Z",
		10	"mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-03T14:44:49Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAM+OkIgQ+f3RN3I3Hmxg+KXwClm2G1vMDuPGRmA1X2zIw\nJKdwmkNX57Xa6KVOqOMwIt4GJxZe0ZOs5v9l3fcULpSZe9WZf3uQKHU27iU4SZDy\n0l4BT3EoOwoE4qKEQWlHBLCctHsIekfaelvztqKZBc/xulCbske5ccsqtpmBhSXc\niM7ZHvhf9/FgKmqAX/X8wpyVm5Ws/54sWeucXNx8r3s1BScUcyAopjlvvdKRcSgj\n=0sBo\n-----END PGP MESSAGE-----\n",
		15	"fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
		16	},
		17	{
		18	"created_at": "2022-02-03T14:44:49Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAzkA7oGeASZcoz766pAaGRLJfbk2iS+mvPZLVFVMDdF4w\nMMrVGjowWKqWi7tq63g66caN7fPaBSVkQsEnIy7Ad5dopKXYl4Jab7nHVHo1wK2i\n0l4BqxfNxDENQ28qjnhUOR9qRm/tGkVhOmzsEm398fGOSUXoVc5fZDo8xddx+ohk\nPnSjOaQYlDjCepWeRilcsMGvhVJEj41TPyWeKG6boJ/x4dUTLpGc5oMydyHRxUeZ\n=0KFU\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/sif/wgrz/pubkey b/hosts/sif/wgrz/pubkey new file mode 100644 index 00000000..4ba48f43 --- /dev/null +++ b/hosts/sif/wgrz/pubkey
@@ -0,0 +1 @@
			Q7NpJD4Uakammo+Fp/uTsJtOULkDgtrD3DVbBeW3rm4=