James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NixOS 24.11 upgrade; drop OpenVPN for WireGuard; clean up open ports

Browse Source
This commit is contained in:
James Eversole 2024-12-05 09:19:27 -06:00
parent ecfc60b2bb
commit 029653476f
8 changed files with 62 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
flake.lock generated
View File

@ -48,11 +48,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1727789884, "lastModified": 1733148767,
"narHash": "sha256-2LPx4iRJonX4gtd3r73DBM/ZhN/hKu1lb/MHOav8c5s=", "narHash": "sha256-Ht5wD/n2I/tQWNgYIdmi3UQbm1FNwp9m9JmDjZEd6ng=",
"owner": "aristanetworks", "owner": "aristanetworks",
"repo": "nix-serve-ng", "repo": "nix-serve-ng",
"rev": "578ad85b3096d99b25cae0a73c03df4e82f587c7", "rev": "6e8d82a451fccbaa4714da8f7a3db5907bdfa96d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -63,29 +63,29 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1728627514, "lastModified": 1732981179,
"narHash": "sha256-r+SF9AnHrTg+bk6YszoKfV9lgyw+yaFUQe0dOjI0Z2o=", "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c505ebf777526041d792a49d5f6dd4095ea391a7", "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-24.05", "ref": "nixos-24.11",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1727825735, "lastModified": 1730504152,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
} }
}, },
"parts": { "parts": {
@ -93,11 +93,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1727826117, "lastModified": 1730504689,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
flake.nix
View File

@ -2,7 +2,7 @@
description = "eve-psr-nix0 - Home Server"; description = "eve-psr-nix0 - Home Server";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05"; nixpkgs.url = "nixpkgs/nixos-24.11";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -64,11 +64,11 @@
./nix/system/hardware.nix ./nix/system/hardware.nix
./nix/system/nix-conf.nix ./nix/system/nix-conf.nix
./nix/system/network.nix ./nix/system/network.nix
./nix/system/openvpn.nix
./nix/system/overlays.nix ./nix/system/overlays.nix
./nix/system/security.nix ./nix/system/security.nix
./nix/system/system.nix ./nix/system/system.nix
./nix/system/virtualisation.nix ./nix/system/virtualisation.nix
./nix/system/wireguard.nix
./nix/user/users.nix ./nix/user/users.nix
]; ];

1
nix/system/age.nix
View File

@ -23,6 +23,7 @@
"restic/env".file = ../../secrets/restic/env.age; "restic/env".file = ../../secrets/restic/env.age;
"restic/password".file = ../../secrets/restic/env.age; "restic/password".file = ../../secrets/restic/env.age;
"restic/repo".file = ../../secrets/restic/env.age; "restic/repo".file = ../../secrets/restic/env.age;
"wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
}; };
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };

6
nix/system/network.nix
View File

@ -2,14 +2,14 @@
networking = { networking = {
hostName = "eve-psr-nix0"; hostName = "eve-psr-nix0";
firewall = { firewall = {
allowedTCPPorts = [ 22 80 443 3000 7860 9418 23231 23232 23233 ]; allowedTCPPorts = [ 22 80 443 23231 23232 23233 ];
allowedUDPPorts = [ 53 1194 ]; allowedUDPPorts = [ 53 51820 ];
trustedInterfaces = [ "tun0" ]; trustedInterfaces = [ "tun0" ];
}; };
nat = { nat = {
enable = true; enable = true;
externalInterface = "enp1s0"; externalInterface = "enp1s0";
internalInterfaces = [ "tun0" ]; internalInterfaces = [ "tun0" "wg0" ];
}; };
}; };
} }

56
nix/system/openvpn.nix
View File

@ -1,56 +0,0 @@
{ config, pkgs, ... }:
let
client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
domain = "matri.cx";
port = 1194;
in
{
services.openvpn.servers.laptop.config = ''
dev tun0
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret ${client-key}
port ${toString port}
cipher AES-256-CBC
auth-nocache
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
'';
environment.etc."openvpn/laptop-client.ovpn" = {
text = ''
dev tun
remote "${domain}"
ifconfig 10.8.0.2 10.8.0.1
port ${toString port}
redirect-gateway def1
cipher AES-256-CBC
auth-nocache
comp-lzo
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
secret [inline]
'';
mode = "600";
};
system.activationScripts.openvpn-addkey = ''
f="/etc/openvpn/laptop-client.ovpn"
if ! grep -q '<secret>' $f; then
echo "appending secret key"
echo "<secret>" >> $f
cat ${client-key} >> $f
echo "</secret>" >> $f
fi
'';
}

33
nix/system/wireguard.nix Normal file
View File

@ -0,0 +1,33 @@
{ pkgs, config, lib, ...}: {
networking.wireguard.interfaces = {
wg0 = {
ips = [ "192.168.3.1/24" ];
listenPort = 51820;
privateKeyFile = "/run/agenix/wireguard/server-private";
peers = [
#
# James
#
{ # Primary Cell
publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
allowedIPs = [ "192.168.3.2/32" ];
}
#
# Caitlynn
#
{ # Primary Cell
publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
allowedIPs = [ "192.168.3.3/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
};
};
}

1
secrets.nix
View File

@ -18,4 +18,5 @@ in
"secrets/restic/env.age" = { publicKeys = all; }; "secrets/restic/env.age" = { publicKeys = all; };
"secrets/restic/repo.age" = { publicKeys = all; }; "secrets/restic/repo.age" = { publicKeys = all; };
"secrets/restic/password.age" = { publicKeys = all; }; "secrets/restic/password.age" = { publicKeys = all; };
"secrets/wireguard/server-private.age" = { publicKeys = all; };
} }

8
secrets/wireguard/server-private.age Normal file
View File

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ
BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI
-> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg
37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4
--- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs
¹Â?;HŠª ˜&{û Ńt•c«y8<#É༄ªm¾±äk8
šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot