NixOS 24.11 upgrade; drop OpenVPN for WireGuard; clean up open ports

2024-12-05 09:19:27 -06:00
parent ecfc60b2bb
commit 029653476f
8 changed files with 62 additions and 75 deletions
--- a/nix/system/age.nix
+++ b/nix/system/age.nix
@ -23,6 +23,7 @@
      "restic/env".file = ../../secrets/restic/env.age;
      "restic/password".file = ../../secrets/restic/env.age;
      "restic/repo".file = ../../secrets/restic/env.age;
+      "wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
    };
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
--- a/nix/system/network.nix
+++ b/nix/system/network.nix
@ -2,14 +2,14 @@
  networking = {
    hostName = "eve-psr-nix0";
    firewall = {
-      allowedTCPPorts = [ 22 80 443 3000 7860 9418 23231 23232 23233 ];
-      allowedUDPPorts = [ 53 1194 ];
+      allowedTCPPorts = [ 22 80 443 23231 23232 23233 ];
+      allowedUDPPorts = [ 53 51820 ];
      trustedInterfaces = [ "tun0" ];
    };
    nat = {
      enable = true;
      externalInterface = "enp1s0";
-      internalInterfaces = [ "tun0" ];
+      internalInterfaces = [ "tun0" "wg0" ];
    };
  };
 }
--- a/nix/system/openvpn.nix
+++ b/nix/system/openvpn.nix
@ -1,56 +0,0 @@
-{ config, pkgs, ... }:
-let
-  client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
-  domain = "matri.cx";
-  port = 1194;
-in
-{
-  services.openvpn.servers.laptop.config = ''
-    dev tun0
-    proto udp
-    ifconfig 10.8.0.1 10.8.0.2
-    secret ${client-key}
-    port ${toString port}
-
-    cipher AES-256-CBC
-    auth-nocache
-
-    comp-lzo
-    keepalive 10 60
-    ping-timer-rem
-    persist-tun
-    persist-key
-  '';
-
-  environment.etc."openvpn/laptop-client.ovpn" = {
-    text = ''
-      dev tun
-      remote "${domain}"
-      ifconfig 10.8.0.2 10.8.0.1
-      port ${toString port}
-      redirect-gateway def1
-
-      cipher AES-256-CBC
-      auth-nocache
-
-      comp-lzo
-      keepalive 10 60
-      resolv-retry infinite
-      nobind
-      persist-key
-      persist-tun
-      secret [inline]
-
-    '';
-    mode = "600";
-  };
-  system.activationScripts.openvpn-addkey = ''
-    f="/etc/openvpn/laptop-client.ovpn"
-    if ! grep -q '<secret>' $f; then
-      echo "appending secret key"
-      echo "<secret>" >> $f
-      cat ${client-key} >> $f
-      echo "</secret>" >> $f
-    fi
-  '';
-}
--- a/nix/system/wireguard.nix
+++ b/nix/system/wireguard.nix
@ -0,0 +1,33 @@
+{ pkgs, config, lib, ...}: {
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "192.168.3.1/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/run/agenix/wireguard/server-private";
+
+      peers = [
+          #
+          # James
+          #
+        { # Primary Cell
+          publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
+          allowedIPs = [ "192.168.3.2/32" ];
+        }
+          #
+          # Caitlynn
+          #
+        { # Primary Cell
+          publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
+          allowedIPs = [ "192.168.3.3/32" ];
+        }
+      ];
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
+      '';
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
+      '';
+    };
+	};
+}