hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wireguard & other stuff

Browse source
This commit is contained in:
Henri Dohmen 2025-05-26 22:13:03 +02:00
parent c45f9f7f46
commit 16f491a6ca
12 changed files with 174 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Makefile
View file

@ -13,6 +13,9 @@ switch: _switch_${HOST}
apply: apply:
colmena apply colmena apply
update-hidden:
nix flake update nixos-config-hidden
_switch_: _switch_:
@echo "ERROR: couldn't find hostname" @echo "ERROR: couldn't find hostname"
@false @false

39
flake.lock generated
View file

@ -60,11 +60,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747559278, "lastModified": 1748227609,
"narHash": "sha256-10VfcILI2zYY1/ZlOx/cakDmpJgSEJYEG3gMrjzFREY=", "narHash": "sha256-SaSdslyo6UGDpPUlmrPA4dWOEuxCy2ihRN9K6BnqYsA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ee85cfc5c132e2cf956a7b5ab156ddaedaefcbbc", "rev": "d23d20f55d49d8818ac1f1b2783671e8a6725022",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -94,13 +94,33 @@
"type": "github" "type": "github"
} }
}, },
"nixos-config-hidden": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1748288309,
"narHash": "sha256-eME8v0XnFUx1okq1mmdBEVV2lgCEVaHRKMl8nzrOrlM=",
"ref": "refs/heads/main",
"rev": "c5c6cb7b0b721ba5dc45788e5d6f154cb8a91dc3",
"revCount": 2,
"type": "git",
"url": "ssh://git@github.com/henridoh/nixos-config-hidden"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/henridoh/nixos-config-hidden"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1747129300, "lastModified": 1747900541,
"narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "e81fd167b33121269149c57806599045fd33eeed", "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -128,11 +148,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1747327360, "lastModified": 1748190013,
"narHash": "sha256-LSmTbiq/nqZR9B2t4MRnWG7cb0KVNU70dB7RT4+wYK4=", "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e06158e58f3adee28b139e9c2bcfcc41f8625b46", "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -146,6 +166,7 @@
"inputs": { "inputs": {
"colmena": "colmena", "colmena": "colmena",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-config-hidden": "nixos-config-hidden",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
} }

17
flake.nix
View file

@ -7,6 +7,10 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-config-hidden = {
url = "git+ssh://git@github.com/henridoh/nixos-config-hidden";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -16,6 +20,7 @@
nixos-hardware, nixos-hardware,
colmena, colmena,
home-manager, home-manager,
nixos-config-hidden,
}@inputs: }@inputs:
let let
lib = nixpkgs.lib; lib = nixpkgs.lib;
@ -24,7 +29,7 @@
specialArgs = { specialArgs = {
inherit inputs lib' mod; inherit inputs lib' mod;
var = (lib'.walk-dir ./var).map_import; var = (lib'.walk-dir ./var).map_import_with_lib;
}; };
overlays = _: { overlays = _: {
nixpkgs.overlays = [ colmena.overlay ]; nixpkgs.overlays = [ colmena.overlay ];
@ -34,22 +39,28 @@
nixosConfigurations = { nixosConfigurations = {
"solo" = nixpkgs.lib.nixosSystem { "solo" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
inherit specialArgs; specialArgs = specialArgs // {
host = "solo";
};
modules = [ modules = [
./host/solo ./host/solo
mod.common.to_mod mod.common.to_mod
mod.pc-common.to_mod mod.pc-common.to_mod
nixos-config-hidden.nixosModules.pc
overlays overlays
]; ];
}; };
"c2" = nixpkgs.lib.nixosSystem { "c2" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
inherit specialArgs; specialArgs = specialArgs // {
host = "c2";
};
modules = [ modules = [
./host/c2 ./host/c2
mod.common.to_mod mod.common.to_mod
mod.pc-common.to_mod mod.pc-common.to_mod
nixos-config-hidden.nixosModules.pc
overlays overlays
]; ];
}; };

28
host/roam/modules/services.nix
View file

@ -4,36 +4,8 @@ let
in in
{ {
services = { services = {
# TODO: maybe just use wireguard...
/*
headscale = {
enable = true;
address = "127.0.0.1";
port = 8080;
settings = {
server_url = "https://${headscale-domain}";
prefixes.v4 = "100.10.11.0/24";
prefixes.v6 = "fd7a:115c:1011::/48";
dns = {
magic_dns = true;
base_domain = "net.hdohmen.de";
};
};
};
*/
nginx = { nginx = {
enable = true; enable = true;
/*
virtualHosts.${headscale-domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
*/
}; };
}; };

8
host/roam/modules/wireguard.nix
View file

@ -1,7 +1,6 @@
{ ... }: { var, lib, ... }:
let let
wireguard-port = 51820; wireguard-port = 51820;
wireguard-subnet = "100.10.11.0/24";
in in
{ {
networking = { networking = {
@ -16,9 +15,10 @@ in
wireguard = { wireguard = {
enable = true; enable = true;
interfaces."wg0" = { interfaces."wg0" = {
ips = [ wireguard-subnet ]; ips = var.wg.wireguard-network."roam".ips;
listenPort = wireguard-port; listenPort = wireguard-port;
privateKeyFile = "/var/secrets/wg0.key"; privateKeyFile = var.wg.keyFile;
peers = var.wg.peers-for "roam";
}; };
}; };
}; };

8
lib.nix
View file

@ -1,6 +1,7 @@
{ lib, ... }: { lib, ... }:
with builtins; with builtins;
rec { let
lib' = rec {
walk-dir = walk-dir =
let let
walk-dir-inner = walk-dir-inner =
@ -33,6 +34,7 @@ rec {
to_mod_without_default = without_default.to_mod; to_mod_without_default = without_default.to_mod;
collect_nix_files = _nix_files; collect_nix_files = _nix_files;
map_import = lib.mapAttrsRecursive (_: import) subpaths; map_import = lib.mapAttrsRecursive (_: import) subpaths;
map_import_with_lib = lib.mapAttrsRecursive (_: x: (import x) { inherit lib lib'; }) subpaths;
without_default = without_default =
let let
subpaths' = removeAttrs subpaths [ "default" ]; subpaths' = removeAttrs subpaths [ "default" ];
@ -44,4 +46,6 @@ rec {
x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x; x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x;
in in
p: with-helper-attrs (walk-dir-inner p); p: with-helper-attrs (walk-dir-inner p);
} };
in
lib'

42
mod/pc-common/network.nix
View file

@ -1,4 +1,4 @@
{ ... }: { host, var, ... }:
{ {
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
services.blueman.enable = true; services.blueman.enable = true;
@ -11,6 +11,46 @@
networking = { networking = {
enableIPv6 = true; enableIPv6 = true;
wireguard.enable = true;
wg-quick = {
interfaces = {
"onet" = {
address = var.wg.wireguard-network.${host}.ips;
privateKeyFile = var.wg.keyFile;
peers = var.wg.peers-for host;
};
"mullvad" =
let
conf = {
"solo".ips = [
"10.68.140.249/32"
"fc00:bbbb:bbbb:bb01::5:8cf8/128"
];
};
in
{
address = conf.${host}.ips;
privateKeyFile = var.wg.keyFile;
peers = [
{
allowedIPs = [
"0.0.0.0/0"
"::0/0"
];
endpoint = "185.213.155.72:51820";
publicKey = "flq7zR8W5FxouHBuZoTRHY0A0qFEMQZF5uAgV4+sHVw=";
persistentKeepalive = 23;
}
];
};
};
};
firewall = {
allowedUDPPorts = [ 51820 ];
};
networkmanager = { networkmanager = {
enable = true; enable = true;
wifi.macAddress = "random"; wifi.macAddress = "random";

1
mod/pc-common/services.nix
View file

@ -9,5 +9,6 @@
}; };
udisks2.enable = true; udisks2.enable = true;
emacs.enable = true; emacs.enable = true;
protonmail-bridge.enable = true;
}; };
} }

6
mod/pc-common/software/programs.nix
View file

@ -28,13 +28,15 @@
programs.thunderbird = { programs.thunderbird = {
enable = true; enable = true;
package = pkgs.thunderbird-latest; package = pkgs.thunderbird-latest;
profiles.default.isDefault = true; profiles.default = {
profiles.default.settings = { isDefault = true;
settings = {
"mail.openpgp.allow_external_gnupg" = true; "mail.openpgp.allow_external_gnupg" = true;
"mail.openpgp.fetch_pubkeys_from_gnupg" = true; "mail.openpgp.fetch_pubkeys_from_gnupg" = true;
}; };
}; };
}; };
};
# Some excludes # Some excludes
services.xserver.excludePackages = [ pkgs.xterm ]; services.xserver.excludePackages = [ pkgs.xterm ];

2
var/ssh-keys.nix
View file

@ -1,4 +1,4 @@
rec { _: rec {
# this is only used for forcing password entry on colmena apply # this is only used for forcing password entry on colmena apply
priviliged-by-host = { priviliged-by-host = {
"solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";

29
var/wg.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, ... }:
rec {
publicKey = {
"roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
"solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
};
wireguard-network = {
"roam" = {
publicKey = publicKey."roam";
ips = [ "10.10.11.1/24" ];
allowedIPs = [ "10.10.11.0/24" ];
endpoint = "185.163.117.158:51820";
persistentKeepalive = 17;
};
"solo" = {
publicKey = publicKey."solo";
ips = [ "10.10.11.2/24" ];
allowedIPs = [ "10.10.11.2/32" ];
};
};
keyFile = "/var/secrets/wg.key";
peers-for =
host:
map (lib.filterAttrs (n: _: n != "ips")) (
lib.attrValues (lib.filterAttrs (n: _: n != host) wireguard-network)
);
}

12
var/wireguard-network.nix
View file

@ -1,12 +0,0 @@
rec {
peers = {
"roam" = {
publicKey = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
};
"solo" = {
publicKey = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
};
};
peersFor = host: { }; # TODO: return peers.
}