bchmnn/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add wireguard client config for vpn.dryb.org

Browse source
This commit is contained in:
Jacob Bachmann 2024-09-12 12:56:05 +02:00
parent 5d47e3f94a
commit 9400db3cb6
Signed by: bchmnn
GPG key ID: 732A612DAD28067D
6 changed files with 96 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/T430/default.nix
View file

@ -30,7 +30,10 @@
cli-utils.enable = true; cli-utils.enable = true;
profiling.enable = true; profiling.enable = true;
development.enable = true; development.enable = true;
vpn.enable = true; vpn = {
enable = true;
dryborg.enable = true;
};
virtualisation.enable = true; virtualisation.enable = true;
games.enable = true; games.enable = true;
}; };

71
modules/core/network.nix
View file

@ -1,20 +1,61 @@
{ { config
config, , lib
lib, , pkgs
pkgs, , ...
...
}: }:
{ {
networking = { options.bchmnn = {
networkmanager.enable = true; collections = {
vpn = {
dryborg = {
enable = lib.mkEnableOption "dryborg";
};
};
};
}; };
systemd.services = { config = {
NetworkManager-wait-online.enable = false; networking = {
networkmanager.enable = true;
};
systemd.services = {
NetworkManager-wait-online.enable = false;
};
services.resolved.enable = true;
environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [
pkgs.openvpn3
pkgs.mullvad-vpn
pkgs.wireguard-tools # tools for the wireguard secure network tunnel
];
services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable;
age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
keys-wireguard-dryborg-privatekey = {
file = ../../secrets/keys/wireguard/dryborg/privatekey.age;
};
keys-wireguard-dryborg-presharedkey = {
file = ../../secrets/keys/wireguard/dryborg/presharedkey.age;
};
};
networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
"vpn.dryb.org" = {
autostart = false;
privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path;
address = [ "10.200.200.1/24" ];
dns = [ "192.168.2.1" ];
peers = [
{
publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs=";
presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path;
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "vpn.dryb.org:53280";
persistentKeepalive = 21;
}
];
};
};
}; };
environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [
pkgs.openvpn3
pkgs.mullvad-vpn
pkgs.wireguard-tools # tools for the wireguard secure network tunnel
];
services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable;
} }

37
modules/home-manager/gui/waybar.nix
View file

@ -1,4 +1,4 @@
{ pkgs, nixosConfig, ... }: { pkgs, nixosConfig, lib, ... }:
let let
check-battery = pkgs.writeShellScript "check-battery" '' check-battery = pkgs.writeShellScript "check-battery" ''
bat=/sys/class/power_supply/BAT0 bat=/sys/class/power_supply/BAT0
@ -18,18 +18,18 @@ let
rm $FILE rm $FILE
fi fi
''; '';
tailscale-status = pkgs.writeShellScript "tailscale-status" '' vpn-dryb-org-status = pkgs.writeShellScript "vpn-dryb-org-status" ''
if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then
echo " " echo " "
else else
echo " " echo " "
fi fi
''; '';
tailscale-toggle = pkgs.writeShellScript "tailscale-toggle" '' vpn-dryb-org-toggle = pkgs.writeShellScript "vpn-dryb-org-toggle" ''
if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then
pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale down pkexec ${nixosConfig.systemd.package}/bin/systemctl stop wg-quick-vpn.dryb.org
else else
pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale up --accept-routes --exit-node=j4m35-bl0nd pkexec ${nixosConfig.systemd.package}/bin/systemctl start wg-quick-vpn.dryb.org
fi fi
''; '';
in in
@ -133,6 +133,7 @@ in
"modules-right": [ "modules-right": [
"tray", "tray",
"network", "network",
${lib.optionalString (nixosConfig.bchmnn.collections.vpn.enable && nixosConfig.bchmnn.collections.vpn.dryborg.enable) "custom/vpndryborg,"}
"custom/separator", "custom/separator",
"pulseaudio", "pulseaudio",
"custom/separator", "custom/separator",
@ -151,19 +152,19 @@ in
"name": "swaybar", "name": "swaybar",
"network": { "network": {
"format": "{ifname}", "format": "{ifname}",
"format-disconnected": "󰈂 ", "format-disconnected": "󰈂",
"format-ethernet": "eth 󰈁 ", "format-ethernet": "eth 󰈁",
"format-wifi": "{signalStrength}% ", "format-wifi": "{signalStrength}% ",
"interval": 1, "interval": 1,
"tooltip-format": "{ifname} via {gwaddr} 󰈁 ", "tooltip-format": "{ifname} via {gwaddr} 󰈁",
"tooltip-format-disconnected": "Disconnected", "tooltip-format-disconnected": "Disconnected",
"tooltip-format-ethernet": "{ifname} ", "tooltip-format-ethernet": "{ifname} ",
"tooltip-format-wifi": "{essid} ({signalStrength}%) " "tooltip-format-wifi": "{essid} ({signalStrength}%) "
}, },
"custom/tailscale": { "custom/vpndryborg": {
"exec": "${tailscale-status}", "exec": "${vpn-dryb-org-status}",
"interval": 1, "interval": 10,
"on-click": "${tailscale-toggle}", "on-click": "${vpn-dryb-org-toggle}",
}, },
"pulseaudio": { "pulseaudio": {
"format": "{volume}% {icon} {format_source}", "format": "{volume}% {icon} {format_source}",
@ -301,7 +302,7 @@ in
background: transparent; background: transparent;
} }
window.swaybar #custom-tailscale { window.swaybar #custom-vpndryborg {
padding-right: 6px; padding-right: 6px;
transition: none; transition: none;
color: black; color: black;

BIN
secrets/keys/wireguard/dryborg/presharedkey.age Normal file
View file

Binary file not shown.

9
secrets/keys/wireguard/dryborg/privatekey.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE
I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc
-> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM
yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA
-> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM
l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4
--- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM
,\à j^NåvÏ•ÞìÇw”GÏ„I äYÔ…D¨ËÕOÍÞÌ_œ@u¢“nõƒääúìÓàÙþ¶è¯”S'HŽ³&v)lQ

8
secrets/secrets.nix
View file

@ -17,10 +17,18 @@ let
T430 T430
IROH IROH
]; ];
clients = [
T430
IROH
];
in in
{ {
"environments/acme.age".publicKeys = users ++ [ APPA ]; "environments/acme.age".publicKeys = users ++ [ APPA ];
"environments/vaultwarden.age".publicKeys = users ++ [ APPA ]; "environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
"keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients;
"keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients;
"passwords/gitea/db.age".publicKeys = users ++ [ APPA ]; "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
"passwords/anki/admin.age".publicKeys = users ++ [ APPA ]; "passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
"passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ]; "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];