Migrate from WG to TS/HS

2025-04-21 15:47:20 -05:00 · 2025-04-21 15:47:20 -05:00 · 2034274ee0
commit 2034274ee0
parent 041bba5aeb
9 changed files with 50 additions and 53 deletions
--- a/flake.nix
+++ b/flake.nix
@ -50,6 +50,7 @@
                    nix-serve-ng.nixosModules.default
                    ./nix/application/containers.nix
                    ./nix/application/headscale.nix
                    ./nix/application/miniflux.nix
                    ./nix/application/nginx.nix
                    ./nix/application/postgresql.nix
@ -68,7 +69,6 @@
                    ./nix/system/security.nix
                    ./nix/system/system.nix
                    ./nix/system/virtualisation.nix
                    ./nix/system/wireguard.nix
                    ./nix/user/users.nix
                  ];
--- a/nix/application/containers.nix
+++ b/nix/application/containers.nix
@ -1,5 +1,13 @@
 { config, lib, pkgs, ... }:
 {
  environment.etc."containers/containers.conf".text = lib.mkForce ''
    [engine]
    init_path = "${pkgs.catatonit}/bin/catatonit"
    [network]
    network_backend = "cni"
    cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"]
  '';
  virtualisation.oci-containers = {
    containers = {
--- a/nix/application/headscale.nix
+++ b/nix/application/headscale.nix
@ -0,0 +1,23 @@
 { pkgs, config, ...}: {
  services.headscale = {
    enable = true;
    address = "0.0.0.0";
    port = 35893;
    settings = { 
      dns.base_domain = "vpn.matri.cx";
      logtail.enabled = false; 
      noise.private_key_path = "/var/lib/headscale/noise_private.key";
      server_url = "https://vpn.matri.cx:443";
    };
  };
  services.tailscale = {
    enable = true;
    extraSetFlags = [
      "--advertise-exit-node"
    ];
    extraUpFlags = [
      "--advertise-tags=tag:home-server"
    ];
    useRoutingFeatures = "both";
  };
 }
--- a/nix/application/nginx.nix
+++ b/nix/application/nginx.nix
@ -71,11 +71,19 @@
        "jame.su" = static { dir = "/var/www/jame.su"; };
        "matri.cx" = static { dir = "/var/www/matri.cx"; };
        "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
        "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
        "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
        "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
        "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
-        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
+        "vpn.matri.cx" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://localhost:${toString config.services.headscale.port}";
            proxyWebsockets = true;
          };
        };
      };
  };
 }
--- a/nix/system/age.nix
+++ b/nix/system/age.nix
@ -22,7 +22,6 @@
      "restic/env".file = ../../secrets/restic/env.age;
      "restic/password".file = ../../secrets/restic/env.age;
      "restic/repo".file = ../../secrets/restic/env.age;
      "wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
    };
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
--- a/nix/system/network.nix
+++ b/nix/system/network.nix
@ -1,15 +1,16 @@
-{ ... }: {
+{ config, ... }: {
  networking = {
    hostName = "eve-psr-nix0";
    firewall = {
      allowedTCPPorts = [ 22 80 443 5000 23231 23232 23233 ];
-      allowedUDPPorts = [ 53 51820 ];
+      allowedUDPPorts = [ 53 51820 config.services.tailscale.port ];
-      trustedInterfaces = [ "tun0" ];
+      extraCommands = ''
-    };
+        iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
-    nat = {
+      '';
-      enable = true;
+      extraStopCommands = ''
-      externalInterface = "enp1s0";
+        iptables -t nat -D POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
-      internalInterfaces = [ "tun0" "wg0" ];
+      '';
    };
    nat.enable = true;
  };
 }
--- a/nix/system/wireguard.nix
+++ b/nix/system/wireguard.nix
@ -1,33 +0,0 @@
 { pkgs, config, lib, ...}: {
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "192.168.3.1/24" ];
      listenPort = 51820;
      privateKeyFile = "/run/agenix/wireguard/server-private";
      peers = [
          #
          # James
          #
        { # Primary Cell
          publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
          allowedIPs = [ "192.168.3.2/32" ];
        }
          #
          # Caitlynn
          #
        { # Primary Cell
          publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
          allowedIPs = [ "192.168.3.3/32" ];
        }
      ];
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
      '';
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
      '';
    };
 	};
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -17,5 +17,4 @@ in
  "secrets/restic/env.age" = { publicKeys = all; };
  "secrets/restic/repo.age" = { publicKeys = all; };
  "secrets/restic/password.age" = { publicKeys = all; };
  "secrets/wireguard/server-private.age" = { publicKeys = all; };
 }
--- a/secrets/wireguard/server-private.age
+++ b/secrets/wireguard/server-private.age
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ
 BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI
 -> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg
 37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4
 --- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs
 ¹Â?;HŠª	˜&{Ã» Åƒt•c«y8<#Éà¼„ªmÂ¾±äk8
 šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot