NixOS 24.11 upgrade; drop OpenVPN for WireGuard; clean up open ports

2024-12-05 09:19:27 -06:00 · 2024-12-05 09:19:27 -06:00 · 029653476f
commit 029653476f
parent ecfc60b2bb
8 changed files with 62 additions and 75 deletions
--- a/flake.lock
+++ b/flake.lock
@ -48,11 +48,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1727789884,
-        "narHash": "sha256-2LPx4iRJonX4gtd3r73DBM/ZhN/hKu1lb/MHOav8c5s=",
+        "lastModified": 1733148767,
+        "narHash": "sha256-Ht5wD/n2I/tQWNgYIdmi3UQbm1FNwp9m9JmDjZEd6ng=",
        "owner": "aristanetworks",
        "repo": "nix-serve-ng",
-        "rev": "578ad85b3096d99b25cae0a73c03df4e82f587c7",
+        "rev": "6e8d82a451fccbaa4714da8f7a3db5907bdfa96d",
        "type": "github"
      },
      "original": {
@ -63,29 +63,29 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1728627514,
-        "narHash": "sha256-r+SF9AnHrTg+bk6YszoKfV9lgyw+yaFUQe0dOjI0Z2o=",
+        "lastModified": 1732981179,
+        "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c505ebf777526041d792a49d5f6dd4095ea391a7",
+        "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
        "type": "indirect"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      }
    },
    "parts": {
@ -93,11 +93,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "eve-psr-nix0 - Home Server";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05";
+    nixpkgs.url = "nixpkgs/nixos-24.11";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -64,11 +64,11 @@
                    ./nix/system/hardware.nix
                    ./nix/system/nix-conf.nix
                    ./nix/system/network.nix
-                    ./nix/system/openvpn.nix
                    ./nix/system/overlays.nix
                    ./nix/system/security.nix
                    ./nix/system/system.nix
                    ./nix/system/virtualisation.nix
+                    ./nix/system/wireguard.nix

                    ./nix/user/users.nix
                  ];
--- a/nix/system/age.nix
+++ b/nix/system/age.nix
@ -23,6 +23,7 @@
      "restic/env".file = ../../secrets/restic/env.age;
      "restic/password".file = ../../secrets/restic/env.age;
      "restic/repo".file = ../../secrets/restic/env.age;
+      "wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
    };
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
--- a/nix/system/network.nix
+++ b/nix/system/network.nix
@ -2,14 +2,14 @@
  networking = {
    hostName = "eve-psr-nix0";
    firewall = {
-      allowedTCPPorts = [ 22 80 443 3000 7860 9418 23231 23232 23233 ];
-      allowedUDPPorts = [ 53 1194 ];
+      allowedTCPPorts = [ 22 80 443 23231 23232 23233 ];
+      allowedUDPPorts = [ 53 51820 ];
      trustedInterfaces = [ "tun0" ];
    };
    nat = {
      enable = true;
      externalInterface = "enp1s0";
-      internalInterfaces = [ "tun0" ];
+      internalInterfaces = [ "tun0" "wg0" ];
    };
  };
 }
--- a/nix/system/openvpn.nix
+++ b/nix/system/openvpn.nix
@ -1,56 +0,0 @@
-{ config, pkgs, ... }:
-let
-  client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
-  domain = "matri.cx";
-  port = 1194;
-in
-{
-  services.openvpn.servers.laptop.config = ''
-    dev tun0
-    proto udp
-    ifconfig 10.8.0.1 10.8.0.2
-    secret ${client-key}
-    port ${toString port}
-
-    cipher AES-256-CBC
-    auth-nocache
-
-    comp-lzo
-    keepalive 10 60
-    ping-timer-rem
-    persist-tun
-    persist-key
-  '';
-
-  environment.etc."openvpn/laptop-client.ovpn" = {
-    text = ''
-      dev tun
-      remote "${domain}"
-      ifconfig 10.8.0.2 10.8.0.1
-      port ${toString port}
-      redirect-gateway def1
-
-      cipher AES-256-CBC
-      auth-nocache
-
-      comp-lzo
-      keepalive 10 60
-      resolv-retry infinite
-      nobind
-      persist-key
-      persist-tun
-      secret [inline]
-
-    '';
-    mode = "600";
-  };
-  system.activationScripts.openvpn-addkey = ''
-    f="/etc/openvpn/laptop-client.ovpn"
-    if ! grep -q '<secret>' $f; then
-      echo "appending secret key"
-      echo "<secret>" >> $f
-      cat ${client-key} >> $f
-      echo "</secret>" >> $f
-    fi
-  '';
-}
--- a/nix/system/wireguard.nix
+++ b/nix/system/wireguard.nix
@ -0,0 +1,33 @@
+{ pkgs, config, lib, ...}: {
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "192.168.3.1/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/run/agenix/wireguard/server-private";
+
+      peers = [
+          #
+          # James
+          #
+        { # Primary Cell
+          publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
+          allowedIPs = [ "192.168.3.2/32" ];
+        }
+          #
+          # Caitlynn
+          #
+        { # Primary Cell
+          publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
+          allowedIPs = [ "192.168.3.3/32" ];
+        }
+      ];
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
+      '';
+    };
+	};
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -18,4 +18,5 @@ in
  "secrets/restic/env.age" = { publicKeys = all; };
  "secrets/restic/repo.age" = { publicKeys = all; };
  "secrets/restic/password.age" = { publicKeys = all; };
+  "secrets/wireguard/server-private.age" = { publicKeys = all; };
 }
--- a/secrets/wireguard/server-private.age
+++ b/secrets/wireguard/server-private.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ
+BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI
+-> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg
+37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4
+--- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs
+¹Â?;HŠª	˜&{Ã» Åƒt•c«y8<#Éà¼„ªmÂ¾±äk8
+šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot