diff --git a/hosts/bifrost/network/wireguard.nix b/hosts/bifrost/network/wireguard.nix index d5ea719..b5c4d9f 100644 --- a/hosts/bifrost/network/wireguard.nix +++ b/hosts/bifrost/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { noEndpoints = true; }; in { sops.secrets = { "wireguard/bifrost/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,25 +12,36 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51821 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51821; - privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (rico0 // { endpoint = null; }) - (rico1 // { endpoint = null; }) - (rico2 // { endpoint = null; }) - (wynne // { endpoint = null; }) - (layne // { endpoint = null; }) - skipper - kowalski - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + PrivateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + rico0 + rico1 + rico2 + wynne + layne + skipper + kowalski + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; diff --git a/hosts/layne/network/wireguard.nix b/hosts/layne/network/wireguard.nix index 450d5ac..125406d 100644 --- a/hosts/layne/network/wireguard.nix +++ b/hosts/layne/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/layne/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,25 +12,35 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51834 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51834; - privateKeyFile = config.sops.secrets."wireguard/layne/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico1 - rico2 - wynne - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51834; + PrivateKeyFile = config.sops.secrets."wireguard/layne/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { PersistentKeepalive = 20; }) + rico0 + rico1 + rico2 + wynne + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; - } diff --git a/hosts/rico0/network/wireguard.nix b/hosts/rico0/network/wireguard.nix index aa6b323..461a73e 100644 --- a/hosts/rico0/network/wireguard.nix +++ b/hosts/rico0/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/rico0/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,23 +12,34 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51830 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51830; - privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico1 - rico2 - wynne - layne - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51830; + PrivateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { PersistentKeepalive = 20; }) + rico1 + rico2 + wynne + layne + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; diff --git a/hosts/rico1/network/wireguard.nix b/hosts/rico1/network/wireguard.nix index cb5bb89..8a382ab 100644 --- a/hosts/rico1/network/wireguard.nix +++ b/hosts/rico1/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/rico1/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,23 +12,34 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51831 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51831; - privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico2 - wynne - layne - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51831; + PrivateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { PersistentKeepalive = 20; }) + rico0 + rico2 + wynne + layne + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; diff --git a/hosts/rico2/network/wireguard.nix b/hosts/rico2/network/wireguard.nix index 81bb116..a0516f0 100644 --- a/hosts/rico2/network/wireguard.nix +++ b/hosts/rico2/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/rico2/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,23 +12,34 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51832 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51832; - privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico1 - wynne - layne - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51832; + PrivateKeyFile = config.sops.secrets."wireguard/rico2/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { PersistentKeepalive = 20; }) + rico0 + rico1 + wynne + layne + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; diff --git a/hosts/shared/caddy.nix b/hosts/shared/caddy.nix index 55971f0..64dbaff 100644 --- a/hosts/shared/caddy.nix +++ b/hosts/shared/caddy.nix @@ -21,7 +21,6 @@ ''; }; systemd.services.caddy = { - after = [ "wg-quick-Homelab.service" ]; serviceConfig.EnvironmentFile = config.sops.secrets."caddy/env_file".path; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/hosts/shared/wireguard-peers.nix b/hosts/shared/wireguard-peers.nix index d1a1513..e03e7d0 100644 --- a/hosts/shared/wireguard-peers.nix +++ b/hosts/shared/wireguard-peers.nix @@ -1,12 +1,13 @@ +{ noEndpoints ? false }: let - mkPeer = endpoint: publicKey: allowedIPs: { - inherit endpoint publicKey allowedIPs; - }; + mkPeer = Endpoint: PublicKey: AllowedIPs: { + inherit PublicKey AllowedIPs; + } // (if (noEndpoints) then { } else { inherit Endpoint; }); in { bifrost = mkPeer "128.199.30.141:51821" "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=" [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ]; - skipper = mkPeer null "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ]; - kowalski = mkPeer null "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ]; + skipper = mkPeer "" "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ]; + kowalski = mkPeer "" "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ]; rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" [ "10.10.10.10" ]; rico1 = mkPeer "192.168.1.11:51831" "lFtIm7CX3gcHMAu673ptRzNDQh5QEa7FbzlHSQerRg0=" [ "10.10.10.11" ]; rico2 = mkPeer "192.168.1.12:51832" "FyFlOHfAprr474cJCXKRvgsU6o22xaQ8gzs1563AQnI=" [ "10.10.10.12" ]; diff --git a/hosts/skipper/default.nix b/hosts/skipper/default.nix index cc1d524..7f001ee 100644 --- a/hosts/skipper/default.nix +++ b/hosts/skipper/default.nix @@ -10,6 +10,10 @@ ./security.nix ]; + nodeconfig.facts = { + wireguard-ip = "10.10.10.2"; + }; + console.useXkbConfig = true; environment.sessionVariables = { diff --git a/hosts/skipper/network/wireguard.nix b/hosts/skipper/network/wireguard.nix index 241930d..123358a 100644 --- a/hosts/skipper/network/wireguard.nix +++ b/hosts/skipper/network/wireguard.nix @@ -1,32 +1,41 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/skipper/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { firewall = { trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51822; - privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path; - address = [ - "10.10.10.2/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { allowedIPs = [ "10.10.10.0/24" ]; }) - ]; - }; + }; + systemd.network = { + enable = true; + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51822; + PrivateKeyFile = config.sops.secrets."wireguard/skipper/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { AllowedIPs = [ "10.10.10.0/24" ]; }) + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; }; diff --git a/hosts/wynne/network/wireguard.nix b/hosts/wynne/network/wireguard.nix index 546b9de..c446031 100644 --- a/hosts/wynne/network/wireguard.nix +++ b/hosts/wynne/network/wireguard.nix @@ -1,10 +1,10 @@ { config, ... }: -let wireguard-peers = import ../../shared/wireguard-peers.nix; in { +let wireguard-peers = import ../../shared/wireguard-peers.nix { }; in { sops.secrets = { "wireguard/wynne/pk" = { mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + owner = config.users.users.systemd-network.name; + group = config.users.users.systemd-network.group; }; }; networking = { @@ -12,23 +12,34 @@ let wireguard-peers = import ../../shared/wireguard-peers.nix; in { allowedUDPPorts = [ 51833 ]; trustedInterfaces = [ "Homelab" ]; }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51833; - privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; - address = [ - "${config.nodeconfig.facts.wireguard-ip}/24" - ]; - dns = [ "10.10.10.1" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico1 - rico2 - layne - ]; - }; + }; + systemd.network = { + netdevs."99-Homelab" = { + netdevConfig = { + Name = "Homelab"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51833; + PrivateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; + }; + wireguardPeers = with wireguard-peers; [ + (bifrost // { PersistentKeepalive = 20; }) + rico0 + rico1 + rico2 + layne + ]; + }; + networks."99-Homelab" = { + matchConfig = { + Name = "Homelab"; + }; + networkConfig = { + DNS = "10.10.10.1"; + Address = [ + "${config.nodeconfig.facts.wireguard-ip}/24" + ]; }; }; };