From 93f07176317920ee881773519ee342f9c62ab9c9 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 16:42:35 +0100 Subject: sif: wgrz --- hosts/sif/default.nix | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 98 insertions(+), 1 deletion(-) (limited to 'hosts/sif/default.nix') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 9418159c..07ba564d 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -1,5 +1,15 @@ { flake, pkgs, customUtils, lib, config, path, ... }: -{ +let + mwnSubnetsPublic = + [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" + "192.68.211.0/24" "192.68.212.0/24" "192.68.213.0/24" "192.68.214.0/24" "192.68.215.0/24" + "193.174.96.0/22" + "194.95.59.0/24" + ]; + mwnSubnetsPrivate = + [ "10.153.0.0/16" "10.162.0.0/16" "10.156.0.0/16" + ]; +in { imports = with flake.nixosModules.systemProfiles; [ ./hw.nix ./mail @@ -104,6 +114,93 @@ server=/sif.libvirt/192.168.122.1 ''; }; + environment.etc."NetworkManager/dnsmasq.d/wgrz.conf" = { + text = '' + server=/mathinst.loc/10.153.88.9 + server=/cipmath.loc/10.153.88.9 + ''; + }; + + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=wgrz:1025 + ''; + }; + systemd.network = { + netdevs = { + wgrz = { + netdevConfig = { + Name = "wgrz"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wgrz.path; + ListenPort = 51822; + # FirewallMark = 1; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "10.200.116.1/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; + PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; + PersistentKeepalive = 25; + Endpoint = "wg.math.lmu.de:51820"; + }; + } + ]; + }; + }; + networks = { + wgrz = { + name = "wgrz"; + matchConfig = { + Name = "wgrz"; + }; + address = ["10.200.116.128/24"]; + routes = map (Destination: { routeConfig = { + inherit Destination; + Gateway = "10.200.116.1"; + GatewayOnLink = true; + Table = "wgrz"; + };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); + routingPolicyRules = [ + { routingPolicyRuleConfig = { + Table = "main"; + # FirewallMark = 1; + To = "129.187.111.225"; + Priority = 100; + }; + } + { routingPolicyRuleConfig = { + Table = "wgrz"; + From = "10.200.116.128"; + Priority = 200; + }; + } + ] ++ map (To: { routingPolicyRuleConfig = { + Table = "wgrz"; + inherit To; + Priority = 200; + };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic); + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + DNS = ["10.153.88.9" "129.187.111.202" "10.156.33.53"]; + }; + }; + }; + }; + sops.secrets.wgrz = { + format = "binary"; + sopsFile = ./wgrz/privkey; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + networking.networkmanager.unmanaged = ["wgrz"]; services.resolved.enable = false; -- cgit v1.2.3