wireguard: use a common config for wg-intra

diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index a99fa71445f0a8be8b7990dce085078232a7bf59..9443cea7b3abcce266f569a7ecfe78956600f1b7 100644 (file)
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -7,6 +7,7 @@ in
 imports = [
   ../profiles/dnscrypt-proxy2.nix
   ../profiles/security.nix
+  ../networking/wireguard/wg-intra.nix
   oignon/hardware.nix
   oignon/openvpn.nix
   oignon/wireguard.nix

diff --git a/hosts/oignon/wireguard.nix b/hosts/oignon/wireguard.nix
index ee0e6292574d76c2935e02c9ef937c77b32a9e39..9d724c00031daf264226a7d12fc2755144bd679d 100644 (file)
--- a/hosts/oignon/wireguard.nix
+++ b/hosts/oignon/wireguard.nix
@@ -1,47 +1,19 @@
 { pkgs, lib, config, hostName, private, ... }:
-let
-  domain = "sourcephile.fr";
-  iface = "wg-intra";
-  wg = config.networking.wireguard.interfaces.${iface};
-  peer = {
-    publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
-    allowedIPs = [ "192.168.42.3/32" ];
-  };
-  peers = {
-    mermet = {
-      publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
-      endpoint = "mermet.${domain}:43642";
-      endpointsUpdater.enable = true;
-      allowedIPs = [ "192.168.42.1/32" ];
-      persistentKeepalive = 25;
-      dynamicEndpointRefreshSeconds = 30 * 60;
-    };
-    losurdo = {
-      publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
-      #endpoint = "losurdo.${domain}:43642";
-      allowedIPs = [ "192.168.42.2/32" ];
-      persistentKeepalive = 5;
-    };
-  };
-  keyToUnitName = lib.replaceChars
-    [ "/" "-" " " "+" "=" ]
-    [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
-in
 {
-networking.firewall.extraCommands = ''
-  ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
-  ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
-'';
-networking.wireguard.interfaces.${iface} = {
-  ips = peer.allowedIPs;
-  # Different from losurdo's listenPort to have them work behind the same NAT.
-  listenPort = 43641;
-  privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
-  peers = lib.attrValues peers;
-};
-networking.hosts = builtins.listToAttrs (lib.concatLists (lib.attrValues (lib.mapAttrs (peerName: peer:
-  map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) ["${peerName}.wg"]) peer.allowedIPs
-  ) peers)));
+networking.hosts."192.168.42.2" = [
+  "sourcephile.wg"
+  "builds.sourcephile.wg"
+  "dispatch.sourcephile.wg"
+  "git.sourcephile.wg"
+  "hg.sourcephile.wg"
+  "hub.sourcephile.wg"
+  "lists.sourcephile.wg"
+  "man.sourcephile.wg"
+  "meta.sourcephile.wg"
+  "pages.sourcephile.wg"
+  "paste.sourcephile.wg"
+  "todo.sourcephile.wg"
+];
 /*
 systemd.services =
   {

diff --git a/hosts/patate.nix b/hosts/patate.nix
index 191934d6af31e7429108da9db30694597bbf3acb..f89d64b393a9da304728d982d98dfcd9924c6725 100644 (file)
--- a/hosts/patate.nix
+++ b/hosts/patate.nix
@@ -4,9 +4,9 @@ let inherit (config.users) users; in
 imports = [
   ../profiles/dnscrypt-proxy2.nix
   ../profiles/security.nix
+  ../networking/wireguard/wg-intra.nix
   patate/backup.nix
   patate/hardware.nix
-  patate/wireguard.nix
 ];
 
 home-manager.users.sevy = {

diff --git a/hosts/patate/wireguard.nix b/hosts/patate/wireguard.nix
deleted file mode 100644 (file)
index 02bd681..0000000
--- a/hosts/patate/wireguard.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ pkgs, lib, config, hostName, private, ... }:
-let
-  domain = "sourcephile.fr";
-  iface = "wg-intra";
-  wg = config.networking.wireguard.interfaces.${iface};
-  peer = {
-    publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
-    allowedIPs = [ "192.168.42.4/32" ];
-  };
-  peers = {
-    mermet = {
-      publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
-      endpoint = "mermet.${domain}:43642";
-      endpointsUpdater.enable = true;
-      allowedIPs = [ "192.168.42.1/32" ];
-      persistentKeepalive = 25;
-      dynamicEndpointRefreshSeconds = 30 * 60;
-    };
-    losurdo = {
-      publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
-      #endpoint = "losurdo.${domain}:43642";
-      allowedIPs = [ "192.168.42.2/32" ];
-      persistentKeepalive = 5;
-    };
-  };
-  keyToUnitName = lib.replaceChars
-    [ "/" "-" " " "+" "=" ]
-    [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
-in
-{
-networking.firewall.extraCommands = ''
-  ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
-  ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
-'';
-networking.wireguard.interfaces.${iface} = {
-  ips = peer.allowedIPs;
-  # Different from losurdo's listenPort to have them work behind the same NAT.
-  listenPort = 43644;
-  privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
-  peers = lib.attrValues peers;
-};
-networking.hosts = builtins.listToAttrs (lib.concatLists (lib.attrValues (lib.mapAttrs (peerName: peer:
-  map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) ["${peerName}.wg"]) peer.allowedIPs
-  ) peers)));
-/*
-systemd.services =
-  {
-    openssh = {
-      after = ["wireguard-${iface}.service"];
-      serviceConfig.Restart = "on-failure";
-    };
-  };
-services.openssh.listenAddresses = map (ip: {addr=lib.removeSuffix "/32" ip;}) peer.allowedIPs;
-*/
-}

diff --git a/networking/wireguard/wg-intra.nix b/networking/wireguard/wg-intra.nix
new file mode 100644 (file)
index 0000000..14b306f
--- /dev/null
+++ b/networking/wireguard/wg-intra.nix
@@ -0,0 +1,33 @@
+{ pkgs, lib, config, hostName, private, ... }:
+let
+  iface = "wg-intra";
+  hosts = import wg-intra/hosts.nix;
+  wg = config.networking.wireguard.interfaces.${iface};
+in
+{
+networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
+  (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
+  {
+    peers =
+      lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
+        { persistentKeepalive = hosts.${hostName}.persistentKeepalive or null; }
+        peer.peer
+      ) (removeAttrs hosts [hostName]);
+    privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
+  };
+networking.hosts = lib.mkMerge [
+  (lib.mapAttrs' (hostName: host:
+    lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts)
+  { "${hosts.losurdo.ipv4}" = [
+    "nix-extracache.losurdo.wg"
+    "nix-localcache.losurdo.wg"
+  ]; }
+];
+networking.firewall.extraCommands = ''
+  ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
+  ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
+'';
+services.fail2ban.ignoreIP = lib.concatMap
+  (host: host.peer.allowedIPs)
+  (lib.attrValues hosts);
+}

diff --git a/networking/wireguard/wg-intra/hosts.nix b/networking/wireguard/wg-intra/hosts.nix
new file mode 100644 (file)
index 0000000..d0cf3bf
--- /dev/null
+++ b/networking/wireguard/wg-intra/hosts.nix
@@ -0,0 +1,46 @@
+{
+  mermet = rec {
+    ipv4 = "192.168.42.1";
+    ips = ["${ipv4}/24"];
+    listenPort = 43642;
+    peersAnnouncing.enable = true;
+    peer = {
+      publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
+      allowedIPs = [ "${ipv4}/32" ];
+      endpoint = "80.67.180.129:${toString listenPort}";
+      endpointsUpdater.enable = true;
+    };
+  };
+  losurdo = rec {
+    ipv4 = "192.168.42.2";
+    ips = ["${ipv4}/24"];
+    listenPort = 43643;
+    persistentKeepalive = 5;
+    peer = {
+      publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
+      allowedIPs = [ "${ipv4}/32" ];
+    };
+  };
+  oignon = rec {
+    ipv4 = "192.168.42.3";
+    ips = ["${ipv4}/24"];
+    #persistentKeepalive = 10;
+    peer = {
+      publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
+      allowedIPs = [ "${ipv4}/32" ];
+      #persistentKeepalive = 25;
+      #dynamicEndpointRefreshSeconds = 60;
+    };
+  };
+  patate = rec {
+    ipv4 = "192.168.42.4";
+    ips = ["${ipv4}/24"];
+    #persistentKeepalive = 10;
+    peer = {
+      publicKey = "gaEz7nvJTk4h3DGOpeZXSWmYDDrc5xQkuJ28sGrksx4=";
+      allowedIPs = [ "${ipv4}/32" ];
+      #persistentKeepalive = 25;
+      #dynamicEndpointRefreshSeconds = 60;
+    };
+  };
+}