From 93f07176317920ee881773519ee342f9c62ab9c9 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 16:42:35 +0100 Subject: sif: wgrz --- accounts/gkleen@sif/default.nix | 8 +++- accounts/gkleen@sif/ssh-hosts.nix | 9 +++- hosts/sif/default.nix | 99 ++++++++++++++++++++++++++++++++++++++- hosts/sif/wgrz/privkey | 26 ++++++++++ hosts/sif/wgrz/pubkey | 1 + modules/yggdrasil-wg/default.nix | 2 +- 6 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 hosts/sif/wgrz/privkey create mode 100644 hosts/sif/wgrz/pubkey diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix index b2e9d947..15351b0d 100644 --- a/accounts/gkleen@sif/default.nix +++ b/accounts/gkleen@sif/default.nix @@ -78,8 +78,12 @@ in { PubkeyAcceptedAlgorithms +ssh-rsa ConnectTimeout 30 - Match host *.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null" - ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118 + Match host *.mathinst.loc !host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null" + # ProxyCommand ${pkgs.socat}/bin/socat - SOCKS4A:127.0.0.1:%h:%p,socksport=8118 + ProxyJump mathw0g + + Match host mathw0g.mathinst.loc !exec "nc -z -w 1 %h %p &>/dev/null" + HostName mathw0g.math.lmu.de Match host *.cipmath.loc !exec "nc -z -w 1 %h %p &>/dev/null" ProxyJump mathw0h diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix index e7087c26..94ba4e9b 100644 --- a/accounts/gkleen@sif/ssh-hosts.nix +++ b/accounts/gkleen@sif/ssh-hosts.nix @@ -314,13 +314,13 @@ proxyJump = "mathw0h"; }; "mathw0g" = - { hostname = "mathw0g.math.lmu.de"; + { hostname = "mathw0g.mathinst.loc"; }; "mathw0h" = { hostname = "mathw0h.mathinst.loc"; }; "proxy.mathw0g" = - { hostname = "mathw0g.math.lmu.de"; + { hostname = "mathw0g.mathinst.loc"; extraOptions = { ControlPath = "none"; ServerAliveCountMax = "15"; @@ -352,6 +352,11 @@ proxyJump = "mathw0h"; user = "root"; }; + "vpn-wg01" = + { hostname = "vpn-wg01.mathinst.loc"; + proxyJump = "mathw0h"; + user = "root"; + }; "repo-apt01" = { hostname = "repo-apt01.mathinst.loc"; proxyJump = "mathw0h"; diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -1,5 +1,15 @@ { flake, pkgs, customUtils, lib, config, path, ... }: -{ +let + mwnSubnetsPublic = + [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" + "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24" + "193.174.96.0/22" + "194.95.59.0/24" + ]; + mwnSubnetsPrivate = + [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16" + ]; +in { imports = with flake.nixosModules.systemProfiles; [ ./hw.nix ./mail @@ -104,6 +114,93 @@ server=/sif.libvirt/192.168.122.1 ''; }; + environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = { + text = '' + server=/mathinst.loc/10.153.88.9 + server=/cipmath.loc/10.153.88.9 + ''; + }; + + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=wgrz:1025 + ''; + }; + systemd.network = { + netdevs = { + wgrz = { + netdevConfig = { + Name = "wgrz"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wgrz.path; + ListenPort = 51822; + # FirewallMark = 1; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; + PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; + PersistentKeepalive = 25; + Endpoint = "wg.math.lmu.de:51820"; + }; + } + ]; + }; + }; + networks = { + wgrz = { + name = "wgrz"; + matchConfig = { + Name = "wgrz"; + }; + address = ["10.200.116.128/24"]; + routes = map (Destination: { routeConfig = { + inherit Destination; + Gateway = "10.200.116.1"; + GatewayOnLink = true; + Table = "wgrz"; + };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); + routingPolicyRules = [ + { routingPolicyRuleConfig = { + Table = "main"; + # FirewallMark = 1; + To = "129.187.111.225"; + Priority = 100; + }; + } + { routingPolicyRuleConfig = { + Table = "wgrz"; + From = "10.200.116.128"; + Priority = 200; + }; + } + ] ++ map (To: { routingPolicyRuleConfig = { + Table = "wgrz"; + inherit To; + Priority = 200; + };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; + }; + }; + }; + }; + sops.secrets.wgrz = { + format = "binary"; + sopsFile = ./wgrz/privkey; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + networking.networkmanager.unmanaged = ["wgrz"]; services.resolved.enable = false; diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey new file mode 100644 index 00000000..c17f3415 --- /dev/null +++ b/hosts/sif/wgrz/privkey @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:NI7dmXZQbemNWeF2q+7uFKXzuwdIJTMP6TN8eQD/cdxbLmDTp8zFz0E05zB0,iv:5l9XH2EZc3amlz/tjPc/T4z6ojLStHJQX0xXdqG2goE=,tag:zM6/ykgBtmZEVpniVNKM0Q==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-03T14:44:50Z", + "mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]", + "pgp": [ + { + "created_at": "2022-02-03T14:44:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAM+OkIgQ+f3RN3I3Hmxg+KXwClm2G1vMDuPGRmA1X2zIw\nJKdwmkNX57Xa6KVOqOMwIt4GJxZe0ZOs5v9l3fcULpSZe9WZf3uQKHU27iU4SZDy\n0l4BT3EoOwoE4qKEQWlHBLCctHsIekfaelvztqKZBc/xulCbske5ccsqtpmBhSXc\niM7ZHvhf9/FgKmqAX/X8wpyVm5Ws/54sWeucXNx8r3s1BScUcyAopjlvvdKRcSgj\n=0sBo\n-----END PGP MESSAGE-----\n", + "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" + }, + { + "created_at": "2022-02-03T14:44:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAzkA7oGeASZcoz766pAaGRLJfbk2iS+mvPZLVFVMDdF4w\nMMrVGjowWKqWi7tq63g66caN7fPaBSVkQsEnIy7Ad5dopKXYl4Jab7nHVHo1wK2i\n0l4BqxfNxDENQ28qjnhUOR9qRm/tGkVhOmzsEm398fGOSUXoVc5fZDo8xddx+ohk\nPnSjOaQYlDjCepWeRilcsMGvhVJEj41TPyWeKG6boJ/x4dUTLpGc5oMydyHRxUeZ\n=0KFU\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/sif/wgrz/pubkey b/hosts/sif/wgrz/pubkey new file mode 100644 index 00000000..4ba48f43 --- /dev/null +++ b/hosts/sif/wgrz/pubkey @@ -0,0 +1 @@ +Q7NpJD4Uakammo+Fp/uTsJtOULkDgtrD3DVbBeW3rm4= diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index cab1276a..2180711d 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -251,6 +251,6 @@ in { boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; - services.udev.extraRules = mkIf config.networking.networkmanager.enable (lib.mkAfter (concatMapStringsSep "\n" (dev: "ACTION==\"add\", SUBSYSTEM==\"net\", KERNEL==\"${dev}\", ENV{NM_UNMANAGED}=\"1\"") (["yggdrasil"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies))); + networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies; }; } -- cgit v1.2.3