wireguard & other stuff

2025-05-26 22:13:03 +02:00 · 2025-05-26 22:13:03 +02:00 · 16f491a6ca
commit 16f491a6ca
parent c45f9f7f46
12 changed files with 174 additions and 103 deletions
--- a/3
+++ b/3
@ -13,6 +13,9 @@ switch: _switch_${HOST}
 apply:
 	colmena apply

+update-hidden:
+	nix flake update nixos-config-hidden
+
 _switch_:
 	@echo "ERROR: couldn't find hostname"
 	@false
--- a/flake.lock
+++ b/flake.lock
@ -60,11 +60,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747559278,
-        "narHash": "sha256-10VfcILI2zYY1/ZlOx/cakDmpJgSEJYEG3gMrjzFREY=",
+        "lastModified": 1748227609,
+        "narHash": "sha256-SaSdslyo6UGDpPUlmrPA4dWOEuxCy2ihRN9K6BnqYsA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ee85cfc5c132e2cf956a7b5ab156ddaedaefcbbc",
+        "rev": "d23d20f55d49d8818ac1f1b2783671e8a6725022",
        "type": "github"
      },
      "original": {
@ -94,13 +94,33 @@
        "type": "github"
      }
    },
+    "nixos-config-hidden": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748288309,
+        "narHash": "sha256-eME8v0XnFUx1okq1mmdBEVV2lgCEVaHRKMl8nzrOrlM=",
+        "ref": "refs/heads/main",
+        "rev": "c5c6cb7b0b721ba5dc45788e5d6f154cb8a91dc3",
+        "revCount": 2,
+        "type": "git",
+        "url": "ssh://git@github.com/henridoh/nixos-config-hidden"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@github.com/henridoh/nixos-config-hidden"
+      }
+    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1747129300,
-        "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=",
+        "lastModified": 1747900541,
+        "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e81fd167b33121269149c57806599045fd33eeed",
+        "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
        "type": "github"
      },
      "original": {
@ -128,11 +148,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1747327360,
-        "narHash": "sha256-LSmTbiq/nqZR9B2t4MRnWG7cb0KVNU70dB7RT4+wYK4=",
+        "lastModified": 1748190013,
+        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e06158e58f3adee28b139e9c2bcfcc41f8625b46",
+        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
        "type": "github"
      },
      "original": {
@ -146,6 +166,7 @@
      "inputs": {
        "colmena": "colmena",
        "home-manager": "home-manager",
+        "nixos-config-hidden": "nixos-config-hidden",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2"
      }
--- a/flake.nix
+++ b/flake.nix
@ -7,6 +7,10 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    nixos-config-hidden = {
+      url = "git+ssh://git@github.com/henridoh/nixos-config-hidden";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@ -16,6 +20,7 @@
      nixos-hardware,
      colmena,
      home-manager,
+      nixos-config-hidden,
    }@inputs:
    let
      lib = nixpkgs.lib;
@ -24,7 +29,7 @@

      specialArgs = {
        inherit inputs lib' mod;
-        var = (lib'.walk-dir ./var).map_import;
+        var = (lib'.walk-dir ./var).map_import_with_lib;
      };
      overlays = _: {
        nixpkgs.overlays = [ colmena.overlay ];
@ -34,22 +39,28 @@
      nixosConfigurations = {
        "solo" = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-          inherit specialArgs;
+          specialArgs = specialArgs // {
+            host = "solo";
+          };
          modules = [
            ./host/solo
            mod.common.to_mod
            mod.pc-common.to_mod
+            nixos-config-hidden.nixosModules.pc
            overlays
          ];
        };

        "c2" = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-          inherit specialArgs;
+          specialArgs = specialArgs // {
+            host = "c2";
+          };
          modules = [
            ./host/c2
            mod.common.to_mod
            mod.pc-common.to_mod
+            nixos-config-hidden.nixosModules.pc
            overlays
          ];
        };
--- a/host/roam/modules/services.nix
+++ b/host/roam/modules/services.nix
@ -4,36 +4,8 @@ let
 in
 {
  services = {
-    # TODO: maybe just use wireguard...
-    /*
-      headscale = {
-        enable = true;
-        address = "127.0.0.1";
-        port = 8080;
-        settings = {
-          server_url = "https://${headscale-domain}";
-          prefixes.v4 = "100.10.11.0/24";
-          prefixes.v6 = "fd7a:115c:1011::/48";
-          dns = {
-            magic_dns = true;
-            base_domain = "net.hdohmen.de";
-          };
-        };
-      };
-    */
-
    nginx = {
      enable = true;
-      /*
-        virtualHosts.${headscale-domain} = {
-          forceSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
-            proxyWebsockets = true;
-          };
-        };
-      */
    };
  };

--- a/host/roam/modules/wireguard.nix
+++ b/host/roam/modules/wireguard.nix
@ -1,7 +1,6 @@
-{ ... }:
+{ var, lib, ... }:
 let
  wireguard-port = 51820;
-  wireguard-subnet = "100.10.11.0/24";
 in
 {
  networking = {
@ -16,9 +15,10 @@ in
    wireguard = {
      enable = true;
      interfaces."wg0" = {
-        ips = [ wireguard-subnet ];
+        ips = var.wg.wireguard-network."roam".ips;
        listenPort = wireguard-port;
-        privateKeyFile = "/var/secrets/wg0.key";
+        privateKeyFile = var.wg.keyFile;
+        peers = var.wg.peers-for "roam";
      };
    };
  };
--- a/lib.nix
+++ b/lib.nix
@ -1,6 +1,7 @@
 { lib, ... }:
 with builtins;
-rec {
+let
+  lib' = rec {
    walk-dir =
      let
        walk-dir-inner =
@ -33,6 +34,7 @@ rec {
            to_mod_without_default = without_default.to_mod;
            collect_nix_files = _nix_files;
            map_import = lib.mapAttrsRecursive (_: import) subpaths;
+            map_import_with_lib = lib.mapAttrsRecursive (_: x: (import x) { inherit lib lib'; }) subpaths;
            without_default =
              let
                subpaths' = removeAttrs subpaths [ "default" ];
@ -44,4 +46,6 @@ rec {
          x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x;
      in
      p: with-helper-attrs (walk-dir-inner p);
-}
+  };
+in
+lib'
--- a/mod/pc-common/network.nix
+++ b/mod/pc-common/network.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ host, var, ... }:
 {
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
@ -11,6 +11,46 @@

  networking = {
    enableIPv6 = true;
+
+    wireguard.enable = true;
+    wg-quick = {
+      interfaces = {
+        "onet" = {
+          address = var.wg.wireguard-network.${host}.ips;
+          privateKeyFile = var.wg.keyFile;
+          peers = var.wg.peers-for host;
+        };
+        "mullvad" =
+          let
+            conf = {
+              "solo".ips = [
+                "10.68.140.249/32"
+                "fc00:bbbb:bbbb:bb01::5:8cf8/128"
+              ];
+            };
+          in
+          {
+            address = conf.${host}.ips;
+            privateKeyFile = var.wg.keyFile;
+            peers = [
+              {
+                allowedIPs = [
+                  "0.0.0.0/0"
+                  "::0/0"
+                ];
+                endpoint = "185.213.155.72:51820";
+                publicKey = "flq7zR8W5FxouHBuZoTRHY0A0qFEMQZF5uAgV4+sHVw=";
+                persistentKeepalive = 23;
+              }
+            ];
+          };
+      };
+    };
+
+    firewall = {
+      allowedUDPPorts = [ 51820 ];
+    };
+
    networkmanager = {
      enable = true;
      wifi.macAddress = "random";
--- a/mod/pc-common/services.nix
+++ b/mod/pc-common/services.nix
@ -9,5 +9,6 @@
    };
    udisks2.enable = true;
    emacs.enable = true;
+    protonmail-bridge.enable = true;
  };
 }
--- a/mod/pc-common/software/programs.nix
+++ b/mod/pc-common/software/programs.nix
@ -28,13 +28,15 @@
    programs.thunderbird = {
      enable = true;
      package = pkgs.thunderbird-latest;
-      profiles.default.isDefault = true;
-      profiles.default.settings = {
+      profiles.default = {
+        isDefault = true;
+        settings = {
          "mail.openpgp.allow_external_gnupg" = true;
          "mail.openpgp.fetch_pubkeys_from_gnupg" = true;
        };
      };
    };
+  };

  # Some excludes
  services.xserver.excludePackages = [ pkgs.xterm ];
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -1,4 +1,4 @@
-rec {
+_: rec {
  # this is only used for forcing password entry on colmena apply
  priviliged-by-host = {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
--- a/var/wg.nix
+++ b/var/wg.nix
@ -0,0 +1,29 @@
+{ lib, ... }:
+rec {
+  publicKey = {
+    "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
+    "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
+  };
+  wireguard-network = {
+    "roam" = {
+      publicKey = publicKey."roam";
+      ips = [ "10.10.11.1/24" ];
+      allowedIPs = [ "10.10.11.0/24" ];
+      endpoint = "185.163.117.158:51820";
+      persistentKeepalive = 17;
+    };
+    "solo" = {
+      publicKey = publicKey."solo";
+      ips = [ "10.10.11.2/24" ];
+      allowedIPs = [ "10.10.11.2/32" ];
+    };
+  };
+  keyFile = "/var/secrets/wg.key";
+
+  peers-for =
+    host:
+    map (lib.filterAttrs (n: _: n != "ips")) (
+      lib.attrValues (lib.filterAttrs (n: _: n != host) wireguard-network)
+    );
+
+}
--- a/var/wireguard-network.nix
+++ b/var/wireguard-network.nix
@ -1,12 +0,0 @@
-rec {
-  peers = {
-    "roam" = {
-      publicKey = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs=";
-    };
-    "solo" = {
-      publicKey = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk=";
-    };
-  };
-
-  peersFor = host: { }; # TODO: return peers.
-}