From 029653476f911fffd33b08ca85873a70f5998e49 Mon Sep 17 00:00:00 2001 From: James Eversole Date: Thu, 5 Dec 2024 09:19:27 -0600 Subject: [PATCH] NixOS 24.11 upgrade; drop OpenVPN for WireGuard; clean up open ports --- flake.lock | 28 +++++++------- flake.nix | 4 +- nix/system/age.nix | 1 + nix/system/network.nix | 6 +-- nix/system/openvpn.nix | 56 ---------------------------- nix/system/wireguard.nix | 33 ++++++++++++++++ secrets.nix | 1 + secrets/wireguard/server-private.age | 8 ++++ 8 files changed, 62 insertions(+), 75 deletions(-) delete mode 100644 nix/system/openvpn.nix create mode 100644 nix/system/wireguard.nix create mode 100644 secrets/wireguard/server-private.age diff --git a/flake.lock b/flake.lock index 6e456ac..40fb8f6 100644 --- a/flake.lock +++ b/flake.lock @@ -48,11 +48,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1727789884, - "narHash": "sha256-2LPx4iRJonX4gtd3r73DBM/ZhN/hKu1lb/MHOav8c5s=", + "lastModified": 1733148767, + "narHash": "sha256-Ht5wD/n2I/tQWNgYIdmi3UQbm1FNwp9m9JmDjZEd6ng=", "owner": "aristanetworks", "repo": "nix-serve-ng", - "rev": "578ad85b3096d99b25cae0a73c03df4e82f587c7", + "rev": "6e8d82a451fccbaa4714da8f7a3db5907bdfa96d", "type": "github" }, "original": { @@ -63,29 +63,29 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728627514, - "narHash": "sha256-r+SF9AnHrTg+bk6YszoKfV9lgyw+yaFUQe0dOjI0Z2o=", + "lastModified": 1732981179, + "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c505ebf777526041d792a49d5f6dd4095ea391a7", + "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "type": "indirect" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, "parts": { @@ -93,11 +93,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 2228d36..dcc63e5 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "eve-psr-nix0 - Home Server"; inputs = { - nixpkgs.url = "nixpkgs/nixos-24.05"; + nixpkgs.url = "nixpkgs/nixos-24.11"; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -64,11 +64,11 @@ ./nix/system/hardware.nix ./nix/system/nix-conf.nix ./nix/system/network.nix - ./nix/system/openvpn.nix ./nix/system/overlays.nix ./nix/system/security.nix ./nix/system/system.nix ./nix/system/virtualisation.nix + ./nix/system/wireguard.nix ./nix/user/users.nix ]; diff --git a/nix/system/age.nix b/nix/system/age.nix index 73c463b..13708f8 100644 --- a/nix/system/age.nix +++ b/nix/system/age.nix @@ -23,6 +23,7 @@ "restic/env".file = ../../secrets/restic/env.age; "restic/password".file = ../../secrets/restic/env.age; "restic/repo".file = ../../secrets/restic/env.age; + "wireguard/server-private".file = ../../secrets/wireguard/server-private.age; }; identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; diff --git a/nix/system/network.nix b/nix/system/network.nix index 31bc12e..933155c 100644 --- a/nix/system/network.nix +++ b/nix/system/network.nix @@ -2,14 +2,14 @@ networking = { hostName = "eve-psr-nix0"; firewall = { - allowedTCPPorts = [ 22 80 443 3000 7860 9418 23231 23232 23233 ]; - allowedUDPPorts = [ 53 1194 ]; + allowedTCPPorts = [ 22 80 443 23231 23232 23233 ]; + allowedUDPPorts = [ 53 51820 ]; trustedInterfaces = [ "tun0" ]; }; nat = { enable = true; externalInterface = "enp1s0"; - internalInterfaces = [ "tun0" ]; + internalInterfaces = [ "tun0" "wg0" ]; }; }; } diff --git a/nix/system/openvpn.nix b/nix/system/openvpn.nix deleted file mode 100644 index 4ed1ba6..0000000 --- a/nix/system/openvpn.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, pkgs, ... }: -let - client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key"; - domain = "matri.cx"; - port = 1194; -in -{ - services.openvpn.servers.laptop.config = '' - dev tun0 - proto udp - ifconfig 10.8.0.1 10.8.0.2 - secret ${client-key} - port ${toString port} - - cipher AES-256-CBC - auth-nocache - - comp-lzo - keepalive 10 60 - ping-timer-rem - persist-tun - persist-key - ''; - - environment.etc."openvpn/laptop-client.ovpn" = { - text = '' - dev tun - remote "${domain}" - ifconfig 10.8.0.2 10.8.0.1 - port ${toString port} - redirect-gateway def1 - - cipher AES-256-CBC - auth-nocache - - comp-lzo - keepalive 10 60 - resolv-retry infinite - nobind - persist-key - persist-tun - secret [inline] - - ''; - mode = "600"; - }; - system.activationScripts.openvpn-addkey = '' - f="/etc/openvpn/laptop-client.ovpn" - if ! grep -q '' $f; then - echo "appending secret key" - echo "" >> $f - cat ${client-key} >> $f - echo "" >> $f - fi - ''; -} diff --git a/nix/system/wireguard.nix b/nix/system/wireguard.nix new file mode 100644 index 0000000..c0a5b33 --- /dev/null +++ b/nix/system/wireguard.nix @@ -0,0 +1,33 @@ +{ pkgs, config, lib, ...}: { + networking.wireguard.interfaces = { + wg0 = { + ips = [ "192.168.3.1/24" ]; + listenPort = 51820; + privateKeyFile = "/run/agenix/wireguard/server-private"; + + peers = [ + # + # James + # + { # Primary Cell + publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg="; + allowedIPs = [ "192.168.3.2/32" ]; + } + # + # Caitlynn + # + { # Primary Cell + publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY="; + allowedIPs = [ "192.168.3.3/32" ]; + } + ]; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE + ''; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 2610cb6..47f10e4 100644 --- a/secrets.nix +++ b/secrets.nix @@ -18,4 +18,5 @@ in "secrets/restic/env.age" = { publicKeys = all; }; "secrets/restic/repo.age" = { publicKeys = all; }; "secrets/restic/password.age" = { publicKeys = all; }; + "secrets/wireguard/server-private.age" = { publicKeys = all; }; } diff --git a/secrets/wireguard/server-private.age b/secrets/wireguard/server-private.age new file mode 100644 index 0000000..9d319dd --- /dev/null +++ b/secrets/wireguard/server-private.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ +BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI +-> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg +37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4 +--- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs +¹Â?;HŠª ˜&{û Ńt•c«y8<#É༄ªm¾±äk8 +šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot \ No newline at end of file