6 files changed, 139 insertions, 6 deletions
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index b2e9d947..15351b0d 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -78,8 +78,12 @@ in {
            PubkeyAcceptedAlgorithms +ssh-rsa
            ConnectTimeout 30
-          Match host *.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"
+          Match host *.mathinst.loc !host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"
-            ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118
+            # ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118
+            ProxyJump mathw0g
+          Match host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"
+            HostName mathw0g.math.lmu.de
          Match host *.cipmath.loc !exec "nc -z -w 1 %h %p &>/dev/null"
            ProxyJump mathw0h
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index e7087c26..94ba4e9b 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -314,13 +314,13 @@
      proxyJump = "mathw0h";
    };
  "mathw0g" =
-    { hostname = "mathw0g.math.lmu.de";
+    { hostname = "mathw0g.mathinst.loc";
    };
  "mathw0h" =
    { hostname = "mathw0h.mathinst.loc";
    };
  "proxy.mathw0g" =
-    { hostname = "mathw0g.math.lmu.de";
+    { hostname = "mathw0g.mathinst.loc";
      extraOptions = {
        ControlPath = "none";
        ServerAliveCountMax = "15";
@@ -352,6 +352,11 @@
      proxyJump = "mathw0h";
      user = "root";
    };
+  "vpn-wg01" =
+    { hostname = "vpn-wg01.mathinst.loc";
+      proxyJump = "mathw0h";
+      user = "root";
+    };
  "repo-apt01" =
    { hostname = "repo-apt01.mathinst.loc";
      proxyJump = "mathw0h";
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 9418159c..07ba564d 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
 { flake, pkgs, customUtils, lib, config, path, ... }:
-{
+let
+  mwnSubnetsPublic =
+    [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
+      "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
+      "193.174.96.0/22"
+      "194.95.59.0/24"
+    ];
+  mwnSubnetsPrivate =
+    [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
+    ];
+in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
    ./mail
@@ -104,6 +114,93 @@
        server=/sif.libvirt/192.168.122.1
      '';
    };
+    environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
+      text = ''
+        server=/mathinst.loc/10.153.88.9
+        server=/cipmath.loc/10.153.88.9
+      '';
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=wgrz:1025
+      '';
+    };
+    systemd.network = {
+      netdevs = {
+        wgrz = {
+          netdevConfig = {
+            Name = "wgrz";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.wgrz.path;
+            ListenPort = 51822;
+            # FirewallMark = 1;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
+                PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
+                PersistentKeepalive = 25;
+                Endpoint = "wg.math.lmu.de:51820";
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        wgrz = {
+          name = "wgrz";
+          matchConfig = {
+            Name = "wgrz";
+          };
+          address = ["10.200.116.128/24"];
+          routes = map (Destination: { routeConfig = {
+            inherit Destination;
+            Gateway = "10.200.116.1";
+            GatewayOnLink = true;
+            Table = "wgrz";
+          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          routingPolicyRules = [
+            { routingPolicyRuleConfig = {
+                Table = "main";
+                # FirewallMark = 1;
+                To = "129.187.111.225";
+                Priority = 100;
+              };
+            }
+            { routingPolicyRuleConfig = {
+                Table = "wgrz";
+                From = "10.200.116.128";
+                Priority = 200;
+              };
+            }
+          ] ++ map (To: { routingPolicyRuleConfig = {
+                            Table = "wgrz";
+                            inherit To;
+                            Priority = 200;
+                          };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+            DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
+          };
+        };
+      };
+    };
+    sops.secrets.wgrz = {
+      format = "binary";
+      sopsFile = ./wgrz/privkey;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    networking.networkmanager.unmanaged = ["wgrz"];
    services.resolved.enable = false;
diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey
new file mode 100644
index 00000000..c17f3415
--- /dev/null
+++ b/hosts/sif/wgrz/privkey
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:NI7dmXZQbemNWeF2q+7uFKXzuwdIJTMP6TN8eQD/cdxbLmDTp8zFz0E05zB0,iv:5l9XH2EZc3amlz/tjPc/T4z6ojLStHJQX0xXdqG2goE=,tag:zM6/ykgBtmZEVpniVNKM0Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-03T14:44:50Z",
+                "mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-03T14:44:49Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAM+OkIgQ+f3RN3I3Hmxg+KXwClm2G1vMDuPGRmA1X2zIw\nJKdwmkNX57Xa6KVOqOMwIt4GJxZe0ZOs5v9l3fcULpSZe9WZf3uQKHU27iU4SZDy\n0l4BT3EoOwoE4qKEQWlHBLCctHsIekfaelvztqKZBc/xulCbske5ccsqtpmBhSXc\niM7ZHvhf9/FgKmqAX/X8wpyVm5Ws/54sWeucXNx8r3s1BScUcyAopjlvvdKRcSgj\n=0sBo\n-----END PGP MESSAGE-----\n",
+                                "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
+                        },
+                        {
+                                "created_at": "2022-02-03T14:44:49Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAzkA7oGeASZcoz766pAaGRLJfbk2iS+mvPZLVFVMDdF4w\nMMrVGjowWKqWi7tq63g66caN7fPaBSVkQsEnIy7Ad5dopKXYl4Jab7nHVHo1wK2i\n0l4BqxfNxDENQ28qjnhUOR9qRm/tGkVhOmzsEm398fGOSUXoVc5fZDo8xddx+ohk\nPnSjOaQYlDjCepWeRilcsMGvhVJEj41TPyWeKG6boJ/x4dUTLpGc5oMydyHRxUeZ\n=0KFU\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/sif/wgrz/pubkey b/hosts/sif/wgrz/pubkey
new file mode 100644
index 00000000..4ba48f43
--- /dev/null
+++ b/hosts/sif/wgrz/pubkey
@@ -0,0 +1 @@
+Q7NpJD4Uakammo+Fp/uTsJtOULkDgtrD3DVbBeW3rm4=
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index cab1276a..2180711d 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -251,6 +251,6 @@ in {
    boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
    environment.systemPackages = with pkgs; [ wireguard-tools batctl ];
-    services.udev.extraRules = mkIf config.networking.networkmanager.enable (lib.mkAfter (concatMapStringsSep "\n" (dev: "ACTION==\"add\", SUBSYSTEM==\"net\", KERNEL==\"${dev}\", ENV{NM_UNMANAGED}=\"1\"") (["yggdrasil"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies)));
+    networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies;
  };
 }

diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix index b2e9d947..15351b0d 100644 --- a/accounts/gkleen@sif/default.nix +++ b/accounts/gkleen@sif/default.nix
@@ -78,8 +78,12 @@ in {
78	PubkeyAcceptedAlgorithms +ssh-rsa	78	PubkeyAcceptedAlgorithms +ssh-rsa
79	ConnectTimeout 30	79	ConnectTimeout 30
80		80
81	Match host *.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"	81	Match host *.mathinst.loc !host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"
82	ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118	82	# ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118
		83	ProxyJump mathw0g
		84
		85	Match host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null"
		86	HostName mathw0g.math.lmu.de
83		87
84	Match host *.cipmath.loc !exec "nc -z -w 1 %h %p &>/dev/null"	88	Match host *.cipmath.loc !exec "nc -z -w 1 %h %p &>/dev/null"
85	ProxyJump mathw0h	89	ProxyJump mathw0h


diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix index e7087c26..94ba4e9b 100644 --- a/accounts/gkleen@sif/ssh-hosts.nix +++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -314,13 +314,13 @@
314	proxyJump = "mathw0h";	314	proxyJump = "mathw0h";
315	};	315	};
316	"mathw0g" =	316	"mathw0g" =
317	{ hostname = "mathw0g.math.lmu.de";	317	{ hostname = "mathw0g.mathinst.loc";
318	};	318	};
319	"mathw0h" =	319	"mathw0h" =
320	{ hostname = "mathw0h.mathinst.loc";	320	{ hostname = "mathw0h.mathinst.loc";
321	};	321	};
322	"proxy.mathw0g" =	322	"proxy.mathw0g" =
323	{ hostname = "mathw0g.math.lmu.de";	323	{ hostname = "mathw0g.mathinst.loc";
324	extraOptions = {	324	extraOptions = {
325	ControlPath = "none";	325	ControlPath = "none";
326	ServerAliveCountMax = "15";	326	ServerAliveCountMax = "15";
@@ -352,6 +352,11 @@
352	proxyJump = "mathw0h";	352	proxyJump = "mathw0h";
353	user = "root";	353	user = "root";
354	};	354	};
		355	"vpn-wg01" =
		356	{ hostname = "vpn-wg01.mathinst.loc";
		357	proxyJump = "mathw0h";
		358	user = "root";
		359	};
355	"repo-apt01" =	360	"repo-apt01" =
356	{ hostname = "repo-apt01.mathinst.loc";	361	{ hostname = "repo-apt01.mathinst.loc";
357	proxyJump = "mathw0h";	362	proxyJump = "mathw0h";


diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -1,5 +1,15 @@
1	{ flake, pkgs, customUtils, lib, config, path, ... }:	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
2	{	2	let
		3	mwnSubnetsPublic =
		4	[ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
		5	"192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24"
		6	"193.174.96.0/22"
		7	"194.95.59.0/24"
		8	];
		9	mwnSubnetsPrivate =
		10	[ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16"
		11	];
		12	in {
3	imports = with flake.nixosModules.systemProfiles; [	13	imports = with flake.nixosModules.systemProfiles; [
4	./hw.nix	14	./hw.nix
5	./mail	15	./mail
@@ -104,6 +114,93 @@
104	server=/sif.libvirt/192.168.122.1	114	server=/sif.libvirt/192.168.122.1
105	'';	115	'';
106	};	116	};
		117	environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = {
		118	text = ''
		119	server=/mathinst.loc/10.153.88.9
		120	server=/cipmath.loc/10.153.88.9
		121	'';
		122	};
		123
		124	environment.etc."systemd/networkd.conf" = {
		125	text = ''
		126	[Network]
		127	RouteTable=wgrz:1025
		128	'';
		129	};
		130	systemd.network = {
		131	netdevs = {
		132	wgrz = {
		133	netdevConfig = {
		134	Name = "wgrz";
		135	Kind = "wireguard";
		136	};
		137	wireguardConfig = {
		138	PrivateKeyFile = config.sops.secrets.wgrz.path;
		139	ListenPort = 51822;
		140	# FirewallMark = 1;
		141	};
		142	wireguardPeers = [
		143	{ wireguardPeerConfig = {
		144	AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
		145	PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
		146	PersistentKeepalive = 25;
		147	Endpoint = "wg.math.lmu.de:51820";
		148	};
		149	}
		150	];
		151	};
		152	};
		153	networks = {
		154	wgrz = {
		155	name = "wgrz";
		156	matchConfig = {
		157	Name = "wgrz";
		158	};
		159	address = ["10.200.116.128/24"];
		160	routes = map (Destination: { routeConfig = {
		161	inherit Destination;
		162	Gateway = "10.200.116.1";
		163	GatewayOnLink = true;
		164	Table = "wgrz";
		165	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		166	routingPolicyRules = [
		167	{ routingPolicyRuleConfig = {
		168	Table = "main";
		169	# FirewallMark = 1;
		170	To = "129.187.111.225";
		171	Priority = 100;
		172	};
		173	}
		174	{ routingPolicyRuleConfig = {
		175	Table = "wgrz";
		176	From = "10.200.116.128";
		177	Priority = 200;
		178	};
		179	}
		180	] ++ map (To: { routingPolicyRuleConfig = {
		181	Table = "wgrz";
		182	inherit To;
		183	Priority = 200;
		184	};}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
		185	linkConfig = {
		186	RequiredForOnline = false;
		187	};
		188	networkConfig = {
		189	LLMNR = false;
		190	MulticastDNS = false;
		191	DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"];
		192	};
		193	};
		194	};
		195	};
		196	sops.secrets.wgrz = {
		197	format = "binary";
		198	sopsFile = ./wgrz/privkey;
		199	mode = "0640";
		200	owner = "root";
		201	group = "systemd-network";
		202	};
		203	networking.networkmanager.unmanaged = ["wgrz"];
107		204
108	services.resolved.enable = false;	205	services.resolved.enable = false;
109		206


diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey new file mode 100644 index 00000000..c17f3415 --- /dev/null +++ b/hosts/sif/wgrz/privkey
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:NI7dmXZQbemNWeF2q+7uFKXzuwdIJTMP6TN8eQD/cdxbLmDTp8zFz0E05zB0,iv:5l9XH2EZc3amlz/tjPc/T4z6ojLStHJQX0xXdqG2goE=,tag:zM6/ykgBtmZEVpniVNKM0Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-03T14:44:50Z",
		10	"mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-03T14:44:49Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAM+OkIgQ+f3RN3I3Hmxg+KXwClm2G1vMDuPGRmA1X2zIw\nJKdwmkNX57Xa6KVOqOMwIt4GJxZe0ZOs5v9l3fcULpSZe9WZf3uQKHU27iU4SZDy\n0l4BT3EoOwoE4qKEQWlHBLCctHsIekfaelvztqKZBc/xulCbske5ccsqtpmBhSXc\niM7ZHvhf9/FgKmqAX/X8wpyVm5Ws/54sWeucXNx8r3s1BScUcyAopjlvvdKRcSgj\n=0sBo\n-----END PGP MESSAGE-----\n",
		15	"fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
		16	},
		17	{
		18	"created_at": "2022-02-03T14:44:49Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAzkA7oGeASZcoz766pAaGRLJfbk2iS+mvPZLVFVMDdF4w\nMMrVGjowWKqWi7tq63g66caN7fPaBSVkQsEnIy7Ad5dopKXYl4Jab7nHVHo1wK2i\n0l4BqxfNxDENQ28qjnhUOR9qRm/tGkVhOmzsEm398fGOSUXoVc5fZDo8xddx+ohk\nPnSjOaQYlDjCepWeRilcsMGvhVJEj41TPyWeKG6boJ/x4dUTLpGc5oMydyHRxUeZ\n=0KFU\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/sif/wgrz/pubkey b/hosts/sif/wgrz/pubkey new file mode 100644 index 00000000..4ba48f43 --- /dev/null +++ b/hosts/sif/wgrz/pubkey
@@ -0,0 +1 @@
			Q7NpJD4Uakammo+Fp/uTsJtOULkDgtrD3DVbBeW3rm4=


diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index cab1276a..2180711d 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix
@@ -251,6 +251,6 @@ in {
251		251
252	boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];	252	boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
253	environment.systemPackages = with pkgs; [ wireguard-tools batctl ];	253	environment.systemPackages = with pkgs; [ wireguard-tools batctl ];
254	services.udev.extraRules = mkIf config.networking.networkmanager.enable (lib.mkAfter (concatMapStringsSep "\n" (dev: "ACTION==\"add\", SUBSYSTEM==\"net\", KERNEL==\"${dev}\", ENV{NM_UNMANAGED}=\"1\"") (["yggdrasil"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies)));	254	networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies;
255	};	255	};
256	}	256	}