From 815c2c295e15974f2ef41696b9ef60f8c0328c4a Mon Sep 17 00:00:00 2001 From: min Date: Sat, 10 May 2025 16:44:48 -0400 Subject: [PATCH] New wireguard server --- flake.lock | 6 +- flake.nix | 2 + nixos/hosts/eidola/configuration.nix | 1 + nixos/hosts/eidola/wireguard.nix | 23 ++++++++ nixos/hosts/silver/configuration.nix | 2 +- nixos/hosts/silver/services/default.nix | 1 + nixos/hosts/silver/services/shim-jellyfin.nix | 2 +- nixos/hosts/silver/services/wireguard.nix | 57 +++++++++++++++++++ nixos/modules/hardening.nix | 5 -- secrets/eidola.yaml | 8 ++- secrets/silver.yaml | 11 ++-- 11 files changed, 101 insertions(+), 17 deletions(-) create mode 100644 nixos/hosts/eidola/wireguard.nix create mode 100644 nixos/hosts/silver/services/wireguard.nix diff --git a/flake.lock b/flake.lock index 94d7a1d..690a02f 100644 --- a/flake.lock +++ b/flake.lock @@ -181,11 +181,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745487689, - "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", + "lastModified": 1746557022, + "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", + "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 245cbc2..0c97f4b 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,8 @@ openssl # not included: age, age-plugin-yubikey, pcscd + wireguard-tools + deploy-rs nixos-anywhere diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix index cf2b5c3..9c7e4eb 100644 --- a/nixos/hosts/eidola/configuration.nix +++ b/nixos/hosts/eidola/configuration.nix @@ -13,6 +13,7 @@ ./nebula.nix ./zfs.nix ./prometheus.nix + ./wireguard.nix ]; networking.hostName = "eidola"; # Define your hostname. diff --git a/nixos/hosts/eidola/wireguard.nix b/nixos/hosts/eidola/wireguard.nix new file mode 100644 index 0000000..7246dbf --- /dev/null +++ b/nixos/hosts/eidola/wireguard.nix @@ -0,0 +1,23 @@ +{config, ...}: { + sops.secrets."wireguard-key" = {}; + sops.secrets."wireguard-psk" = {}; + + networking.wireguard = { + enable = true; + + interfaces.wg0 = { + ips = ["10.193.0.2/16"]; + privateKeyFile = config.sops.secrets."wireguard-key".path; + + peers = [ + { + publicKey = "OeIBzwOGYjQPU7co4MlNDqnARnJoICXMNam7TJWNBG0="; + presharedKeyFile = config.sops.secrets."wireguard-psk".path; + allowedIPs = ["10.193.0.0/16"]; + endpoint = "min.rip:49090"; + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/nixos/hosts/silver/configuration.nix b/nixos/hosts/silver/configuration.nix index 2509e00..196bfe8 100644 --- a/nixos/hosts/silver/configuration.nix +++ b/nixos/hosts/silver/configuration.nix @@ -23,7 +23,7 @@ in { ]; networking.hostName = "silver"; # Define your hostname. - time.timeZone = "America/Chicago"; # Set your time zone. + time.timeZone = "America/New_York"; # Set your time zone. # Allow unfree packages (firmware) nixpkgs.config.allowUnfree = true; diff --git a/nixos/hosts/silver/services/default.nix b/nixos/hosts/silver/services/default.nix index b5f78a4..053ac09 100644 --- a/nixos/hosts/silver/services/default.nix +++ b/nixos/hosts/silver/services/default.nix @@ -11,6 +11,7 @@ ./grafana.nix ./vaultwarden.nix ./shim-jellyfin.nix + ./wireguard.nix ]; security.acme = { diff --git a/nixos/hosts/silver/services/shim-jellyfin.nix b/nixos/hosts/silver/services/shim-jellyfin.nix index 625aa04..f15493a 100644 --- a/nixos/hosts/silver/services/shim-jellyfin.nix +++ b/nixos/hosts/silver/services/shim-jellyfin.nix @@ -8,7 +8,7 @@ in { enableACME = true; locations."/" = { - proxyPass = "http://${toString httpIntAddr}:${toString httpIntPort}"; + proxyPass = "http://${httpIntAddr}:${toString httpIntPort}"; proxyWebsockets = true; }; }; diff --git a/nixos/hosts/silver/services/wireguard.nix b/nixos/hosts/silver/services/wireguard.nix new file mode 100644 index 0000000..60afcc5 --- /dev/null +++ b/nixos/hosts/silver/services/wireguard.nix @@ -0,0 +1,57 @@ +{ + config, + pkgs, + ... +}: let + interface = "wg0"; + wgPort = 49090; +in { + sops.secrets."svc-wireguard-key" = {}; + sops.secrets."svc-wireguard-psk-0-2" = {}; + sops.secrets."svc-wireguard-psk-1-1" = {}; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + + networking = { + firewall.allowedUDPPorts = [wgPort]; + + wireguard = let + iptables = "${pkgs.iptables}/bin/iptables"; + in { + enable = true; + + interfaces.${interface} = { + ips = ["10.193.0.1/16"]; + listenPort = wgPort; + + privateKeyFile = config.sops.secrets."svc-wireguard-key".path; + + postSetup = '' + ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -A FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ${iptables} -A FORWARD -i ${interface} -o ${interface} -j DROP + ''; + preShutdown = '' + ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP + ''; + + peers = [ + { + publicKey = "37FwgVhjem6QCSAzPtdYNwHMPC0YIKpsBOp4Ix23lGU="; + allowedIPs = ["10.193.0.2/32"]; + presharedKeyFile = config.sops.secrets."svc-wireguard-psk-0-2".path; + } + { + publicKey = "ayscoZwIMa9eNciYODZlILrXzfwn0t/2j/qa7/ftUQM="; + allowedIPs = ["10.193.1.1/32"]; + presharedKeyFile = config.sops.secrets."svc-wireguard-psk-1-1".path; + } + ]; + }; + }; + }; +} diff --git a/nixos/modules/hardening.nix b/nixos/modules/hardening.nix index 671a7b4..60ff125 100644 --- a/nixos/modules/hardening.nix +++ b/nixos/modules/hardening.nix @@ -8,7 +8,6 @@ with lib; let in { options.gen.hardening = { hardenBpf = mkEnableOption "place heavier restrictions on BPF"; - fullRpFilter = mkEnableOption "full reverse path filtering. (breaks dynamic routing, probably)"; ignoreIcmpEcho = mkEnableOption "ignore icmp echos. (obviously, this makes pings unresponsive)"; disableSack = mkEnableOption "disable tcp sack"; disableConsole = mkEnableOption "disable console. (not recommended for test machines)"; @@ -35,10 +34,6 @@ in { "kernel.unprivileged_bpf_disabled" = 1; "net.core.bpf_jit_harden" = 2; }) - (mkIf cfg.fullRpFilter { - "net.ipv4.conf.all.rp_filter" = 1; - "net.ipv4.conf.default.rp_filter" = 1; - }) (mkIf cfg.disableSack { "net.ipv4.tcp_sack" = 0; "net.ipv4.tcp_dsack" = 0; diff --git a/secrets/eidola.yaml b/secrets/eidola.yaml index d4186ac..35fd100 100644 --- a/secrets/eidola.yaml +++ b/secrets/eidola.yaml @@ -2,6 +2,8 @@ root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAF user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str] nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str] terra-key: ENC[AES256_GCM,data:pQRlvltiRr83ndfSjX/I8n1WekS9jY2K1QyLTTcYn14TRupRVgvX47rsus1QA9QAbpT/9f0ZYld3aCrR5J0rxg==,iv:mkiu/+uLKOHG9gDjv72T7JGz6/3oaimDawAOqGs3Koo=,tag:c9Ubj3i5rDj5vaLBRpAUkQ==,type:str] +wireguard-key: ENC[AES256_GCM,data:aM76YT/0gbfw87x3ThrwFMuf9DxC0IJ5aCeEFDtL+JWPGsZk3XtrN+kxW6w=,iv:ssh+sGPxMU55ubNZlWcWh+3fXvhjhJ6cNJhPZJVXEyw=,tag:2PdoFb2CyeTkV0EKfcpZiQ==,type:str] +wireguard-psk: ENC[AES256_GCM,data:fEDfzuZVvEC8/HHbV4k0fSZHucRk3PLc/jaf/wl5Np+4OB1SiK6VnSyoW2o=,iv:2QnunJjHxt8V/DBG2KAuzwGQsJnmrspj6x01ufiJteY=,tag:teEVG+TuRg+QsY4jMg2DzQ==,type:str] sops: age: - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj @@ -23,7 +25,7 @@ sops: VTJvaGtSZGpQMSs5N05pblQ4aEIzbkkKQiM+335AZC2+UmotonvM1nsyA/l9F5gr da9+ltLr5U88pXfcdpiXTmxrSnMzDgLuZLRKZ0S/ZllGDhlnwxsuOQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-14T07:48:40Z" - mac: ENC[AES256_GCM,data:1PUbru5HQynz5oC6AFcwreJdT7HupCZUuISsSTQkIY4fQHCeYDp5SqdNhGxjfjl9g7DeoNDCK3jCSY3HPnoz+34RfiC1Cf8lLjV139+jROHakG0gv05wrKqH2b8d52deX/OwDP5SV3mg3OFkiiDEroGF/1apAPs+FXeehnt4jQg=,iv:7E1i9ENR4ZEBYl2aSoNLBOmV7Xx3F7Fr8Ldr8SkWrlE=,tag:L0sCmeD8lCcxA/qtrHr7xg==,type:str] + lastmodified: "2025-05-09T23:52:41Z" + mac: ENC[AES256_GCM,data:38RF2ZBEN8bnldWusQNhpju9zPd/sWRG8LgNesarcuqyqHVJCbjOo3Wm2arXCmnQAFlcmrLCbyheD/bpNhgbVEP2JscrqsH1PFTAAi+iLUK6AT4VZ1q/cdhRVVnHlR+wtehxufJ1sEAp3LNBbDKeSKTk8jorEfEz8NdE0uPvvjg=,iv:u9F0nEKYO/0E51f4z46GNvgK8E7QwoVI+xn7do5sGRc=,tag:Ovv85eGJi037y9hh1KqzEg==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.10.2 diff --git a/secrets/silver.yaml b/secrets/silver.yaml index b2a397f..b7fd842 100644 --- a/secrets/silver.yaml +++ b/secrets/silver.yaml @@ -6,7 +6,10 @@ svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:r svc-sim-breeze-upload_key: ENC[AES256_GCM,data:qm93iBzGhqp7IuZ01uZ6PyL5bL45+W0oOeDyQRGEzZw=,iv:5F7BV5Sg6GUxIGQychaEZSeG7xDFF+JdRL83PJULWJA=,tag:W/Q8vGaPoLNnj1Wyvc9Cnw==,type:str] svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str] svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str] -svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str] +svc-nebula-key: ENC[AES256_GCM,data:FV5KD4pMAXN1VBh93M3sDN5qb/B2SCGXKnfi+IMLcCKLyoUeQXfie79xv/XVzgFGGUcDgnxCsVEkMiraOlqeLWaiYRMBI6DF7Q+xtpNDqPTmUeq92njmbabruMBpp83FkcgF1jr8vaS7d8HnPgoQEBHGISAE2e8iAtMPGew=,iv:CZsHcvYPGqouKnOgraP4dhI7zK7POgnuvxYiZjYnwKs=,tag:8d9APnFVR1yvBvIG56OETg==,type:str] +svc-wireguard-key: ENC[AES256_GCM,data:dmxJ07UnQAtet4RtlVXEMFLVKxOU44XQcUW7h7UPbLG9chiQeXGkZkkTihs=,iv:bEA9+DYDBLo1dgrCSrIpa1ig9JJEtXeJF5ZmtdsAO3s=,tag:tyLB5Dd9uolalSzddC608A==,type:str] +svc-wireguard-psk-0-2: ENC[AES256_GCM,data:0sTGYa3HUe70hYJZnPy9w0iG37aRDTplmdvGdc5C8KN8Dg5XbVc2CmVS1r4=,iv:9Dnr3BYhzKKOZ7S565HY4CkhgPv1JEd3Zk7662/cd9s=,tag:Dd0BLrIjfX0F2lBan59jUg==,type:str] +svc-wireguard-psk-1-1: ENC[AES256_GCM,data:YbxjRleUWTr1+rZyzZ+5vB9Po/V0T1mYhH+H8igjascGV/Oo4lPn1xoYqLg=,iv:+fcWdpRqR7GU5UXug+6GCX9Be5DoE944T5PIm0csgEU=,tag:3mGEL3KYjfSJ9uM+i6Wirg==,type:str] sops: age: - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj @@ -28,7 +31,7 @@ sops: MXdERWkyRitkbWtHMnpQaGxhbTRma2cK75S4x9TdquXAV00m9EQ1vJno14YTmPD4 K8ne37brRWWi3gW6JsaOQOshNE19u4uwkAXZ2IQ+NdAq7Kt/qrcU8w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-01T04:01:15Z" - mac: ENC[AES256_GCM,data:1eMZuUzXH1fPIWh32J6RUntb/ki7OTovX/dtQ5uaf6J6r+B6nLR+TvpAdw4P+XLnxtTeVGIZEHb0sXSA9WXcEE90MHIYOPxG/rb/zf0IOGtg/iwfgLFTacaDJsqX4+WwQJgACJ98SbtznyXr0NnP2d4SudIOjkj05subfrOcPYo=,iv:Fzp1iLEtfxhvy14SG1l06mSDplD2KQoOV+t4rUMX9Qw=,tag:6JRywlTUw6V7yajm6lar8g==,type:str] + lastmodified: "2025-05-10T00:53:55Z" + mac: ENC[AES256_GCM,data:KOs621LpjHZCoMhcTv1r5XQn3wGv18HSBIuGOsgqx8V9SZQE8a5mFKqPHw7eVRhD0sXa0tZrsdRGyjuYBrQ/W1Ay5iiehg00RICfthx9ON0sAxam8nJpUAV5fnmW57yj3OQfNQWgivsRy18bTUMUZ2WxNTGTk7iUW1oLuKXZW6Y=,iv:BYonX1N3Rdg8FNtkRmd+kGNhg/j9kN5fyG7NQRz4V+U=,tag:8Lc/Ql5Azl4el0ZvHm7Zag==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2