diff --git a/README.md b/README.md index 89c9e2e..100d3de 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,21 @@ # nix +## Onboarding: + +You will need at least nix installed on you machine + +### Wireguard + +Add your publickeys into ./shared/users-wg.nix +Create the following interfaces: + bastion.mtz.lasuite.federez: nePNA6RDzgNeSC7deXqeoK2rGGei65tBNnCEN6ZKkEI= -bastion.ren.lasuite.federez: tSnZQM0s1EaN2uvCgYP8xkLXt+NccBBPJj5UBzV3h2Y= \ No newline at end of file +bastion.ren.lasuite.federez: tSnZQM0s1EaN2uvCgYP8xkLXt+NccBBPJj5UBzV3h2Y= + +### SSH + +Prov yourself in ./shared/users.nix + +### Agenix + +Add you decryption key into ./secrets/secrets.nix \ No newline at end of file diff --git a/nodes.nix b/nodes.nix index 7148b31..3004549 100644 --- a/nodes.nix +++ b/nodes.nix @@ -308,7 +308,7 @@ bastion-ren-lasuite-federez = { zone = 2; - id = 1; + id = 14; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -331,7 +331,7 @@ db-ren-lasuite-federez = { zone = 2; - id = 2; + id = 15; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -354,7 +354,7 @@ dns-ren-lasuite-federez = { zone = 2; - id = 3; + id = 16; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -377,7 +377,7 @@ docs-ren-lasuite-federez = { zone = 2; - id = 4; + id = 17; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -400,7 +400,7 @@ meet-ren-lasuite-federez = { zone = 2; - id = 5; + id = 18; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -423,7 +423,7 @@ gris-ren-lasuite-federez = { zone = 2; - id = 6; + id = 19; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -446,7 +446,7 @@ mail-ren-lasuite-federez = { zone = 2; - id = 7; + id = 20; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -469,7 +469,7 @@ garage-ren-lasuite-federez = { zone = 2; - id = 8; + id = 21; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -492,7 +492,7 @@ livekit-ren-lasuite-federez = { zone = 2; - id = 9; + id = 22; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -515,7 +515,7 @@ backup-ren-lasuite-federez = { zone = 2; - id = 10; + id = 23; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -538,7 +538,7 @@ prom-ren-lasuite-federez = { zone = 2; - id = 11; + id = 24; system = "x86_64-linux"; ver = "25.05"; modules = [ @@ -561,7 +561,7 @@ auth-ren-lasuite-federez = { zone = 2; - id = 12; + id = 25; system = "x86_64-linux"; ver = "25.05"; modules = [ diff --git a/secrets/wireguard/wg-private-zone-2-id-1.age b/secrets/wireguard/wg-private-zone-2-id-14.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-1.age rename to secrets/wireguard/wg-private-zone-2-id-14.age diff --git a/secrets/wireguard/wg-private-zone-2-id-2.age b/secrets/wireguard/wg-private-zone-2-id-15.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-2.age rename to secrets/wireguard/wg-private-zone-2-id-15.age diff --git a/secrets/wireguard/wg-private-zone-2-id-3.age b/secrets/wireguard/wg-private-zone-2-id-16.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-3.age rename to secrets/wireguard/wg-private-zone-2-id-16.age diff --git a/secrets/wireguard/wg-private-zone-2-id-4.age b/secrets/wireguard/wg-private-zone-2-id-17.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-4.age rename to secrets/wireguard/wg-private-zone-2-id-17.age diff --git a/secrets/wireguard/wg-private-zone-2-id-5.age b/secrets/wireguard/wg-private-zone-2-id-18.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-5.age rename to secrets/wireguard/wg-private-zone-2-id-18.age diff --git a/secrets/wireguard/wg-private-zone-2-id-6.age b/secrets/wireguard/wg-private-zone-2-id-19.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-6.age rename to secrets/wireguard/wg-private-zone-2-id-19.age diff --git a/secrets/wireguard/wg-private-zone-2-id-7.age b/secrets/wireguard/wg-private-zone-2-id-20.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-7.age rename to secrets/wireguard/wg-private-zone-2-id-20.age diff --git a/secrets/wireguard/wg-private-zone-2-id-8.age b/secrets/wireguard/wg-private-zone-2-id-21.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-8.age rename to secrets/wireguard/wg-private-zone-2-id-21.age diff --git a/secrets/wireguard/wg-private-zone-2-id-9.age b/secrets/wireguard/wg-private-zone-2-id-22.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-9.age rename to secrets/wireguard/wg-private-zone-2-id-22.age diff --git a/secrets/wireguard/wg-private-zone-2-id-10.age b/secrets/wireguard/wg-private-zone-2-id-23.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-10.age rename to secrets/wireguard/wg-private-zone-2-id-23.age diff --git a/secrets/wireguard/wg-private-zone-2-id-11.age b/secrets/wireguard/wg-private-zone-2-id-24.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-11.age rename to secrets/wireguard/wg-private-zone-2-id-24.age diff --git a/secrets/wireguard/wg-private-zone-2-id-12.age b/secrets/wireguard/wg-private-zone-2-id-25.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-12.age rename to secrets/wireguard/wg-private-zone-2-id-25.age diff --git a/shared/bastion/nftables.nix b/shared/bastion/nftables.nix index 29ac0b1..b4fe396 100644 --- a/shared/bastion/nftables.nix +++ b/shared/bastion/nftables.nix @@ -1,9 +1,9 @@ -{ ... }: +{ lib, ... }: { networking = { nat.enable = false; - firewall.enable = false; + firewall.enable = lib.mkForce false; nftables = { enable = true; checkRuleset = true; diff --git a/shared/bastion/wireguard.nix b/shared/bastion/wireguard.nix index 8a0b4a5..790e699 100644 --- a/shared/bastion/wireguard.nix +++ b/shared/bastion/wireguard.nix @@ -21,7 +21,7 @@ let name = "${peerConfig.name}"; publicKey = peerConfig.publicKey; allowedIPs = [ - "172.19..${toString (myZone + 127)}${toString peerConfig.id}/32" + "172.19.${toString (myZone + 127)}.${toString peerConfig.id}/32" "fc00:f::${toString (myZone + 127)}:${toString peerConfig.id}/128" ]; persistentKeepalive = 25; diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix index bea8c9f..57e9560 100644 --- a/shared/commons/mesh.nix +++ b/shared/commons/mesh.nix @@ -13,39 +13,48 @@ let }; generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes; - generateWireGuardInterface = nodesConfig: let + generateWireGuardInterfaces = nodesConfig: let myPeer = nodesConfig."${config.hostName}"; myZone = myPeer.zone; myId = myPeer.id; - + # Filter itself out of the peer list - peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig; - - peers = lib.mapAttrsToList (peerName: peerConfig: { - name = "${peerName}"; - publicKey = peerConfig.wg-pub; - allowedIPs = [ - "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32" - "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128" - ]; - endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820"; - persistentKeepalive = 25; - }) peerConfigs; - - interface = { - "mesh" = { - ips = [ - "172.19.${toString myZone}.${toString myId}/17" - "fc00::${toString myZone}:${toString myId}/96" - ]; - privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path; - listenPort = 51820; - peers = peers; - }; - }; - in interface; + peerConfigs = lib.filterAttrs (_peerName: peerConfig: peerConfig.id != myId) nodesConfig; + + # We'll make one if per peer, this is more flexible + interfacePeers = lib.flatten (lib.mapAttrsToList (peerName: peerConfig: let + remoteId = peerConfig.id; - wireguardInterfaces = generateWireGuardInterface nodes; + # The mesh is for now only IPv4 based + if4 = { + "mesh-${peerName}" = { + ips = [ + "172.19.${toString remoteId}.${toString myId}/32" + "fc00::${toString remoteId}:${toString myId}/128" + ]; + privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path; + listenPort = 51000 + remoteId; + peers = [{ + name = "${peerName}-ip4"; + publicKey = peerConfig.wg-pub; + allowedIPs = [ + "172.19.${toString myId}.${toString remoteId}/32" + "fc00::${toString myId}:${toString remoteId}/128" + # Allow mgmt transport + "172.19.128.0/17" + "fc00:f::/96" + ]; + persistentKeepalive = 25; + }]; + }; + }; + + in if4) peerConfigs); + + interfaces = builtins.foldl' (acc: set: acc // set) {} interfacePeers; + in interfaces; + + wireguardInterfaces = generateWireGuardInterfaces nodes; in { age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets; @@ -56,11 +65,14 @@ in # If custom systemd ordering is needed # between wg interface and the rest of # networking: switch to false here + # Note: if you turn it off it will break + # the custom routing for mgmt rt path + # trafic handle by networkd, see networking.nix networking.wireguard.useNetworkd = true; # Return all WireGuard interfaces for each node networking.wireguard.interfaces = wireguardInterfaces; # Open UDP port for wireguard traffic - networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.allowedUDPPorts = lib.range 51000 52000; } \ No newline at end of file diff --git a/shared/commons/networking.nix b/shared/commons/networking.nix index df2e51b..11fb6c9 100644 --- a/shared/commons/networking.nix +++ b/shared/commons/networking.nix @@ -28,7 +28,6 @@ let Gateway = "fc00::${toString node.zone}:1"; Destination = "fc00:f::${toString (node.zone + 127)}:0/96"; }) (lib.attrValues (lib.filterAttrs (name: node: node.id == 1) nodes)); - in { networking.hostName = config.hostName; @@ -37,15 +36,22 @@ in networking.useNetworkd = true; networking.useDHCP = false; systemd.network = { - networks."10-wan" = { - # match the interface by name - matchConfig.Name = myNode.dev; - address = addr4 ++ addr6; - routes = route4 ++ route6; - # DNS - dns = [ "1.1.1.1" ]; - # make the routes on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; + networks = { + "10-wan" = { + # match the interface by name + matchConfig.Name = myNode.dev; + address = addr4 ++ addr6; + routes = route4 ++ route6; + # DNS + dns = [ "1.1.1.1" ]; + # make the routes on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + # This interface is generated by networkd backend for wireguard + # See mesh.nix + "mesh" = { + routes = rtwg4 ++ rtwg6; + }; }; config.addRouteTablesToIPRoute2 = true;