diff options
Diffstat (limited to 'modules/foundation')
| -rw-r--r-- | modules/foundation/default.nix | 1 | ||||
| -rw-r--r-- | modules/foundation/services/default.nix | 4 | ||||
| -rw-r--r-- | modules/foundation/services/networks.nix | 25 | ||||
| -rw-r--r-- | modules/foundation/wireguard.nix | 130 |
4 files changed, 7 insertions, 153 deletions
diff --git a/modules/foundation/default.nix b/modules/foundation/default.nix index 68e102a..3905eb8 100644 --- a/modules/foundation/default.nix +++ b/modules/foundation/default.nix @@ -3,7 +3,6 @@ { imports = [ ./tailnet.nix - ./wireguard.nix ./services ./monitoring ./www diff --git a/modules/foundation/services/default.nix b/modules/foundation/services/default.nix index 8136ce0..4c01bd7 100644 --- a/modules/foundation/services/default.nix +++ b/modules/foundation/services/default.nix @@ -13,8 +13,8 @@ driver = "bridge"; ipv6 = { enable = true; - subnet = "2001:d0c:1::/48"; - gateway = "2001:d0c:1::1"; + subnet = "fc00:d0c:1::/48"; + gateway = "fc00:d0c:1::1"; }; }; } diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix index 7205ec1..b5f1732 100644 --- a/modules/foundation/services/networks.nix +++ b/modules/foundation/services/networks.nix @@ -81,7 +81,7 @@ in Don't set to get a random subnet assigned to you within the subnet defined in `defaultIPv6SubnetPrefix`. ''; - example = "2001:d0c:123::/64"; + example = "fc00:d0c:123::/64"; default = null; }; @@ -91,7 +91,7 @@ in IPv6 gateway for this network. Should match the subnet. ''; - example = "2001:d0c:123::1"; + example = "fc00:d0c:123::1"; default = null; }; }; @@ -157,7 +157,7 @@ in a set subnet. Prefix length defined by `defaultIPv6SubnetLength`. ''; - default = "2001:d0c"; + default = "fc00:d0c"; }; defaultIPv6SubnetLength = mkOption { @@ -190,6 +190,8 @@ in experimental = true; ipv6 = true; ip6tables = true; + "ip-forward" = true; + "firewall-backend" = "nftables"; fixed-cidr-v6 = "${cfg.defaultIPv6SubnetPrefix}:255::/${toString cfg.defaultIPv6SubnetLength}"; }; @@ -200,24 +202,7 @@ in }; networking.firewall = { - # both options should work together to let all packets coming from - # docker bridges through. trustedInterfaces = [ "br-*" ]; - extraCommands = '' - # allow inbound packets - ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true - - # allow outbound to the docker bridge - ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true - - # allow forwarding between bridges+external interfaces - ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true - ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true - - # allow return traffic - # note: nothing works without this! - ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true - ''; }; systemd.services = diff --git a/modules/foundation/wireguard.nix b/modules/foundation/wireguard.nix deleted file mode 100644 index 366a353..0000000 --- a/modules/foundation/wireguard.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: - -let - inherit (pkgs) iptables; - - inherit (lib) - mkIf - mkEnableOption - mkOption - assertMsg - types - ; - - cfg = config.foundation.wireguard; - - # TODO: we might want to configure these through options? - - wireguardPort = 51820; - wireguardIPv4 = number: subnet: "10.123.10.${number}/${subnet}"; - wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}"; - - wireguardInterface = "wg0"; -in -{ - options.foundation.wireguard = - let - peerSubmodule = - with types; - submodule { - options = { - ip = mkOption { - type = int; - }; - - key = mkOption { - type = str; - }; - }; - }; - in - { - server = { - enable = mkEnableOption "wireguard vpn server"; - - externalInterface = mkOption { - type = types.str; - default = "eth0"; - }; - - peers = mkOption { - type = types.attrsOf peerSubmodule; - default = { }; - }; - }; - }; - - config = mkIf cfg.server.enable { - age.secrets.wireguard-private-key = { - file = ../../secrets/wireguard-private-key.age; - }; - - # enable nat, to rename internal wireguard ips to external ip (w/ iptables) - networking = { - nat = { - enable = true; - internalInterfaces = [ wireguardInterface ]; - inherit (cfg.server) externalInterface; - }; - - firewall = { - allowedUDPPorts = [ wireguardPort ]; - }; - }; - - # enable kernel support for ipv6 forwarding - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = 1; - "net.ipv6.conf.default.forwarding" = 1; - }; - - networking.wireguard.interfaces.${wireguardInterface} = - let - inherit (cfg.server) externalInterface; - - peerIPs = peerNumber: [ - (wireguardIPv4 peerNumber "32") - (wireguardIPv6 peerNumber "128") - ]; - - mkPeer = - p: - assert assertMsg (p.ip > 1) "ip has to be larger that 1"; - { - allowedIPs = peerIPs (toString p.ip); - publicKey = p.key; - }; - peers = map mkPeer (builtins.attrValues cfg.server.peers); - in - { - inherit peers; - - # ip address of server + subnet of network - ips = [ - (wireguardIPv4 "1" "24") - (wireguardIPv6 "1" "112") - ]; - listenPort = wireguardPort; - - # route wireguard traffic to the internet - # also requires clients to have dns set. (i think) - # to avoid, maybe? use wg-quick + dnsmasq? - postSetup = '' - ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - postShutdown = '' - ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - privateKeyFile = config.age.secrets.wireguard-private-key.path; - }; - }; -} |