diff options
author | Franck Cuny <franck@fcuny.net> | 2022-02-21 13:33:51 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-02-21 13:33:51 -0800 |
commit | cd9c8ec5fdbe4874c7be95c80f8ab86999b30390 (patch) | |
tree | 513331627090ae863c064cf2662ba77906e6f54a | |
parent | secrets: initial config and a first secret (diff) | |
download | world-cd9c8ec5fdbe4874c7be95c80f8ab86999b30390.tar.gz |
wireguard: module and peers configurations
Add a new module to automatically configure the peers for wireguard. The module needs a configuration file (in `configs/wireguard.toml`) which lists all the peers, their IP and and their public keys. The secret keys is encrypted as a secret with agenix. There's some initial documentation on how to use this setup.
-rw-r--r-- | configs/wireguard.toml | 15 | ||||
-rw-r--r-- | docs/wireguard.org | 21 | ||||
-rw-r--r-- | hosts/aptos/default.nix | 1 | ||||
-rw-r--r-- | lib/default.nix | 1 | ||||
-rw-r--r-- | lib/private-wireguard.nix | 44 |
5 files changed, 82 insertions, 0 deletions
diff --git a/configs/wireguard.toml b/configs/wireguard.toml new file mode 100644 index 0000000..0012ba9 --- /dev/null +++ b/configs/wireguard.toml @@ -0,0 +1,15 @@ +mask4 = 32 +subnet4 = "192.168.6" + +[peers.aptos] +ipv4 = 110 +key = "DP3caAlh07OOU61u2L2QfEhakt/mVEGrMBVONNvpNhU=" + +[peers.nas] +ipv4 = 10 +key = "SFlgoY+fQDUnI2D6Xp3JhqFKWsZABqahCv8IgKPWizA=" + +[peers.rtr] +ipv4= 1 +key = "P4gxkIoQ9Ep6QqfTquJYbBkMPDJQkVE9v1eYh/uJwG8=" + diff --git a/docs/wireguard.org b/docs/wireguard.org new file mode 100644 index 0000000..154c159 --- /dev/null +++ b/docs/wireguard.org @@ -0,0 +1,21 @@ +#+TITLE: Configuration for wireguard + +* Creating the keys +We need a key for the host: +#+begin_src sh +(umask 0077; wg genkey > peer_A.key) +#+end_src + +Next we create the public key: +#+begin_src sh +wg pubkey < peer_A.key > peer_A.pub +#+end_src + +Now we need to add the private key to the list of secrets: +#+begin_src sh +nix run github:ryantm/agenix -- -e secrets/network/<host name>/wireguard_privatekey.age +#+end_src + +Once this is done, update [[file:~/workspace/world/configs/wireguard.toml][wireguard.toml]] to add the new peer with the public key. + +Once this is completed, we can delete the files =peer_A.key= and =peer_A.pub=. diff --git a/hosts/aptos/default.nix b/hosts/aptos/default.nix index 64da2a5..1e79543 100644 --- a/hosts/aptos/default.nix +++ b/hosts/aptos/default.nix @@ -32,6 +32,7 @@ }; networking.wireless.iwd.enable = true; + networking.private-wireguard.enable = true; services.thermald.enable = true; diff --git a/lib/default.nix b/lib/default.nix index c2866c9..fe43eb1 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -14,6 +14,7 @@ inputs.agenix.nixosModules.age ../hosts/common ../hosts/${hostname} + ./private-wireguard.nix { networking.hostName = hostname; nixpkgs = { diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix new file mode 100644 index 0000000..e063f39 --- /dev/null +++ b/lib/private-wireguard.nix @@ -0,0 +1,44 @@ +{ lib, hostname, config, ... }: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + inherit (builtins) readFile fromTOML fromJSON; + + cfg = config.networking.private-wireguard; + port = 51871; + wgcfg = fromTOML (readFile ./../configs/wireguard.toml); + allPeers = wgcfg.peers; + thisPeer = allPeers."${hostname}" or null; + otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers; +in { + options.networking.private-wireguard = { + enable = mkEnableOption "Enable private wireguard vpn connection"; + }; + + config = lib.mkIf cfg.enable { + networking = let + age.secrets.wg-net.file = ../secrets/network/hostname/wireguard_privatekey.age; + in { + wireguard.interfaces.wg0 = { + listenPort = port; + privateKeyFile = "/run/agenix/wireguard_privatekey"; + ips = [ + "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" + ]; + + peers = lib.mapAttrsToList + (name: peer: { + allowedIPs = [ + "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}" + ]; + publicKey = peer.key; + } // lib.optionalAttrs (peer ? externalIp) { + endpoint = "${peer.externalIp}:${toString port}"; + } // lib.optionalAttrs (!(thisPeer ? externalIp)) { + persistentKeepalive = 10; + }) + otherPeers; + }; + }; + }; +} |