From 9400db3cb6ef13479bcf9a3aed8b3c0f427d3a90 Mon Sep 17 00:00:00 2001 From: Jacob Bachmann Date: Thu, 12 Sep 2024 12:56:05 +0200 Subject: [PATCH] feat: add wireguard client config for vpn.dryb.org --- hosts/T430/default.nix | 5 +- modules/core/network.nix | 71 ++++++++++++++---- modules/home-manager/gui/waybar.nix | 37 ++++----- .../keys/wireguard/dryborg/presharedkey.age | Bin 0 -> 477 bytes secrets/keys/wireguard/dryborg/privatekey.age | 9 +++ secrets/secrets.nix | 8 ++ 6 files changed, 96 insertions(+), 34 deletions(-) create mode 100644 secrets/keys/wireguard/dryborg/presharedkey.age create mode 100644 secrets/keys/wireguard/dryborg/privatekey.age diff --git a/hosts/T430/default.nix b/hosts/T430/default.nix index dc70f5a..b5dddcc 100644 --- a/hosts/T430/default.nix +++ b/hosts/T430/default.nix @@ -30,7 +30,10 @@ cli-utils.enable = true; profiling.enable = true; development.enable = true; - vpn.enable = true; + vpn = { + enable = true; + dryborg.enable = true; + }; virtualisation.enable = true; games.enable = true; }; diff --git a/modules/core/network.nix b/modules/core/network.nix index 233dbaa..e2c2d50 100644 --- a/modules/core/network.nix +++ b/modules/core/network.nix @@ -1,20 +1,61 @@ -{ - config, - lib, - pkgs, - ... +{ config +, lib +, pkgs +, ... }: { - networking = { - networkmanager.enable = true; + options.bchmnn = { + collections = { + vpn = { + dryborg = { + enable = lib.mkEnableOption "dryborg"; + }; + }; + }; }; - systemd.services = { - NetworkManager-wait-online.enable = false; + config = { + networking = { + networkmanager.enable = true; + }; + + systemd.services = { + NetworkManager-wait-online.enable = false; + }; + + services.resolved.enable = true; + + environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [ + pkgs.openvpn3 + pkgs.mullvad-vpn + pkgs.wireguard-tools # tools for the wireguard secure network tunnel + ]; + services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable; + + age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { + keys-wireguard-dryborg-privatekey = { + file = ../../secrets/keys/wireguard/dryborg/privatekey.age; + }; + keys-wireguard-dryborg-presharedkey = { + file = ../../secrets/keys/wireguard/dryborg/presharedkey.age; + }; + }; + + networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) { + "vpn.dryb.org" = { + autostart = false; + privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path; + address = [ "10.200.200.1/24" ]; + dns = [ "192.168.2.1" ]; + peers = [ + { + publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs="; + presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "vpn.dryb.org:53280"; + persistentKeepalive = 21; + } + ]; + }; + }; }; - environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [ - pkgs.openvpn3 - pkgs.mullvad-vpn - pkgs.wireguard-tools # tools for the wireguard secure network tunnel - ]; - services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable; } diff --git a/modules/home-manager/gui/waybar.nix b/modules/home-manager/gui/waybar.nix index c8afa35..b372aee 100644 --- a/modules/home-manager/gui/waybar.nix +++ b/modules/home-manager/gui/waybar.nix @@ -1,4 +1,4 @@ -{ pkgs, nixosConfig, ... }: +{ pkgs, nixosConfig, lib, ... }: let check-battery = pkgs.writeShellScript "check-battery" '' bat=/sys/class/power_supply/BAT0 @@ -18,18 +18,18 @@ let rm $FILE fi ''; - tailscale-status = pkgs.writeShellScript "tailscale-status" '' - if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then + vpn-dryb-org-status = pkgs.writeShellScript "vpn-dryb-org-status" '' + if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then echo " " else echo " " fi ''; - tailscale-toggle = pkgs.writeShellScript "tailscale-toggle" '' - if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then - pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale down + vpn-dryb-org-toggle = pkgs.writeShellScript "vpn-dryb-org-toggle" '' + if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then + pkexec ${nixosConfig.systemd.package}/bin/systemctl stop wg-quick-vpn.dryb.org else - pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale up --accept-routes --exit-node=j4m35-bl0nd + pkexec ${nixosConfig.systemd.package}/bin/systemctl start wg-quick-vpn.dryb.org fi ''; in @@ -133,6 +133,7 @@ in "modules-right": [ "tray", "network", + ${lib.optionalString (nixosConfig.bchmnn.collections.vpn.enable && nixosConfig.bchmnn.collections.vpn.dryborg.enable) "custom/vpndryborg,"} "custom/separator", "pulseaudio", "custom/separator", @@ -151,19 +152,19 @@ in "name": "swaybar", "network": { "format": "{ifname}", - "format-disconnected": "󰈂 ", - "format-ethernet": "eth 󰈁 ", - "format-wifi": "{signalStrength}%  ", + "format-disconnected": "󰈂", + "format-ethernet": "eth 󰈁", + "format-wifi": "{signalStrength}%  ", "interval": 1, - "tooltip-format": "{ifname} via {gwaddr} 󰈁 ", + "tooltip-format": "{ifname} via {gwaddr} 󰈁", "tooltip-format-disconnected": "Disconnected", - "tooltip-format-ethernet": "{ifname}  ", - "tooltip-format-wifi": "{essid} ({signalStrength}%)  " + "tooltip-format-ethernet": "{ifname}  ", + "tooltip-format-wifi": "{essid} ({signalStrength}%)  " }, - "custom/tailscale": { - "exec": "${tailscale-status}", - "interval": 1, - "on-click": "${tailscale-toggle}", + "custom/vpndryborg": { + "exec": "${vpn-dryb-org-status}", + "interval": 10, + "on-click": "${vpn-dryb-org-toggle}", }, "pulseaudio": { "format": "{volume}% {icon} {format_source}", @@ -301,7 +302,7 @@ in background: transparent; } - window.swaybar #custom-tailscale { + window.swaybar #custom-vpndryborg { padding-right: 6px; transition: none; color: black; diff --git a/secrets/keys/wireguard/dryborg/presharedkey.age b/secrets/keys/wireguard/dryborg/presharedkey.age new file mode 100644 index 0000000000000000000000000000000000000000..9940f018442812bea110720fa37a5d15dbd49926 GIT binary patch literal 477 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7N%IX$O;&WHV*KJ(9ciJO%3&S zOmd2}$nq;I2&qU5$_{fbj0*J5PECvSG4@G{NJqELs503-Ib9(lBDb(8$2BNC*DN{0 zB{(_Rz$m}az{EK@-6c)m)4ALvF)Q4?JUK5pr^3up6!^m=fH$x*QS1-rpu#keVeDA;v!_d;S z(xPy;tUUjKNY8L@BVR6EU0sDFzr-ZZ0F#t(V>8#x;;2B&z?87`NUz9n-=L_dqBP4e zbM3U0B5e;>pLDLx2R=P+XcJ1>+%;>5@bQ(e>TIH}FJb ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE +I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc +-> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM +yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA +-> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM +l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4 +--- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM +,\j^NvϕwGτI YԅDO_@un诔S'H&v)lQ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 810ff47..caa5c4a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,10 +17,18 @@ let T430 IROH ]; + + clients = [ + T430 + IROH + ]; + in { "environments/acme.age".publicKeys = users ++ [ APPA ]; "environments/vaultwarden.age".publicKeys = users ++ [ APPA ]; + "keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients; + "keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients; "passwords/gitea/db.age".publicKeys = users ++ [ APPA ]; "passwords/anki/admin.age".publicKeys = users ++ [ APPA ]; "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];