From bcce7262a7f3f42d9743b0f873874da4f4318612 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 2 Oct 2023 21:28:05 +0200 Subject: [PATCH] config wiregrill: split into server and client --- 2configs/home/ham/nginx.nix | 7 +--- 2configs/home/photoprism.nix | 5 +-- 2configs/home/zigbee2mqtt/default.nix | 3 +- 2configs/share/gum-client.nix | 1 - 2configs/sync/default.nix | 6 +-- 2configs/tools/extra-gui.nix | 1 + 2configs/wireguard/wiregrill-client.nix | 41 +++++++++++++++++++ .../{wiregrill.nix => wiregrill-server.nix} | 13 ++---- 8 files changed, 52 insertions(+), 25 deletions(-) create mode 100644 2configs/wireguard/wiregrill-client.nix rename 2configs/wireguard/{wiregrill.nix => wiregrill-server.nix} (92%) diff --git a/2configs/home/ham/nginx.nix b/2configs/home/ham/nginx.nix index cd99c07..c8d2c26 100644 --- a/2configs/home/ham/nginx.nix +++ b/2configs/home/ham/nginx.nix @@ -3,13 +3,8 @@ let in { services.nginx.recommendedProxySettings = true; services.nginx.virtualHosts."hass" = { - serverAliases = [ "hass.lan" "ha" "ha.lan" ]; + serverAliases = [ "hass.lan" "ha" "ha.lan" "hass.omo.w" "hass.omo.r" ]; locations."/".proxyPass = "http://localhost:8123"; locations."/".proxyWebsockets = true; - extraConfig = '' - if ( $server_addr != "${internal-ip}" ) { - return 403; - } - ''; }; } diff --git a/2configs/home/photoprism.nix b/2configs/home/photoprism.nix index 78ecef3..9f10574 100644 --- a/2configs/home/photoprism.nix +++ b/2configs/home/photoprism.nix @@ -21,7 +21,6 @@ let internal-ip = "192.168.111.11"; in { - sops.secrets."photoprism/envfile" = {}; virtualisation.oci-containers.backend = "docker"; services.nginx.virtualHosts."photos" = { @@ -100,7 +99,7 @@ in }; environmentFiles = [ - config.sops.secrets."photoprism/envfile".path + config.sops.secrets."omo-photoprism-envfile".path ]; }; @@ -122,7 +121,7 @@ in #]; volumes= [ "${db-dir}:/var/lib/mysql" ]; environmentFiles = [ - config.sops.secrets."photoprism/envfile".path + config.sops.secrets."omo-photoprism-envfile".path ]; environment = { MYSQL_DATABASE= "photoprism"; diff --git a/2configs/home/zigbee2mqtt/default.nix b/2configs/home/zigbee2mqtt/default.nix index 34bf89a..9b718c0 100644 --- a/2configs/home/zigbee2mqtt/default.nix +++ b/2configs/home/zigbee2mqtt/default.nix @@ -6,9 +6,8 @@ let webport = 8521; in { - sops.secrets."zigbee2mqtt" = { + sops.secrets."omo-zigbee2mqtt" = { owner = "zigbee2mqtt"; - path = "/var/lib/zigbee2mqtt/configuration.yaml"; }; # symlink the zigbee controller diff --git a/2configs/share/gum-client.nix b/2configs/share/gum-client.nix index df2a6b7..fd7a730 100644 --- a/2configs/share/gum-client.nix +++ b/2configs/share/gum-client.nix @@ -8,7 +8,6 @@ let ]; host = "gum.w"; in { - sops.secrets."download.smb" = {}; boot.extraModprobeConfig = '' options cifs CIFSMaxBufSize=130048 ''; diff --git a/2configs/sync/default.nix b/2configs/sync/default.nix index c3880be..76048ac 100644 --- a/2configs/sync/default.nix +++ b/2configs/sync/default.nix @@ -5,14 +5,12 @@ used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders)); used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers; in { - sops.secrets."syncthing.key" = {}; - sops.secrets."syncthing.cert" = {}; services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; devices = mk_peers used_peers; - key = config.sops.secrets."syncthing.key".path; - cert = config.sops.secrets."syncthing.cert".path; + key = config.sops.secrets."${config.clanCore.machineName}-syncthing.key".path; + cert = config.sops.secrets."${config.clanCore.machineName}-syncthing.cert".path; }; services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; diff --git a/2configs/tools/extra-gui.nix b/2configs/tools/extra-gui.nix index 448c991..d6509e3 100644 --- a/2configs/tools/extra-gui.nix +++ b/2configs/tools/extra-gui.nix @@ -7,6 +7,7 @@ # mirage - last time available in 19.09 inkscape libreoffice + guake # skype # teams synergy diff --git a/2configs/wireguard/wiregrill-client.nix b/2configs/wireguard/wiregrill-client.nix new file mode 100644 index 0000000..ec8e9ff --- /dev/null +++ b/2configs/wireguard/wiregrill-client.nix @@ -0,0 +1,41 @@ + +{ config, pkgs, lib, ... }: with lib; +let + + self = config.krebs.build.host.nets.wiregrill; + ext-if = config.makefu.server.primary-itf; + +in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + + networking.firewall = { + allowedUDPPorts = [ self.wireguard.port ]; + }; + + + networking.wireguard.interfaces.wiregrill = let + ipt = "${pkgs.iptables}/bin/iptables"; + ip6 = "${pkgs.iptables}/bin/ip6tables"; + in { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = self.wireguard.port; + privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path; + allowedIPsAsRoutes = true; + peers = let + host = config.krebs.hosts.gum; + in [ + { + allowedIPs = host.nets.wiregrill.wireguard.subnets ; + endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; + publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey); + } + ]; + }; +} diff --git a/2configs/wireguard/wiregrill.nix b/2configs/wireguard/wiregrill-server.nix similarity index 92% rename from 2configs/wireguard/wiregrill.nix rename to 2configs/wireguard/wiregrill-server.nix index 90351c5..0da0126 100644 --- a/2configs/wireguard/wiregrill.nix +++ b/2configs/wireguard/wiregrill-server.nix @@ -12,7 +12,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { (pkgs.writeDashBin "modprobe" ":") ]); - boot.kernel.sysctl = mkIf isRouter { + boot.kernel.sysctl = { "net.ipv6.conf.all.forwarding" = 1; "net.ipv4.conf.all.forwarding" = 1; }; @@ -25,14 +25,14 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { networking.firewall = { allowedUDPPorts = [ self.wireguard.port ]; - interfaces.wiregrill = mkIf isRouter { + interfaces.wiregrill = { allowedUDPPorts = [ 53 ]; allowedTCPPorts = [ 53 ]; }; }; - services.dnsmasq = mkIf isRouter { + services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig = /* dnsmasq */ '' @@ -55,7 +55,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { ${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT ${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - '' + (optionalString isRouter '' #${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT #${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE @@ -76,8 +75,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { ${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT ${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - '' + (optionalString isRouter '' - ${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT ${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE @@ -92,11 +89,9 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { allowedIPsAsRoutes = true; peers = mapAttrsToList (_: host: { - allowedIPs = if isRouter then + allowedIPs = (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) - else - host.nets.wiregrill.wireguard.subnets ; endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;