feat: add wireguard client config for vpn.dryb.org

2024-09-12 12:56:05 +02:00 · 2024-09-12 12:56:05 +02:00 · 9400db3cb6
commit 9400db3cb6
parent 5d47e3f94a
6 changed files with 96 additions and 34 deletions
--- a/hosts/T430/default.nix
+++ b/hosts/T430/default.nix
@ -30,7 +30,10 @@
      cli-utils.enable = true;
      profiling.enable = true;
      development.enable = true;
-      vpn.enable = true;
+      vpn = {
+        enable = true;
+        dryborg.enable = true;
+      };
      virtualisation.enable = true;
      games.enable = true;
    };
--- a/modules/core/network.nix
+++ b/modules/core/network.nix
@ -1,20 +1,61 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
+{ config
+, lib
+, pkgs
+, ...
 }:
 {
+  options.bchmnn = {
+    collections = {
+      vpn = {
+        dryborg = {
+          enable = lib.mkEnableOption "dryborg";
+        };
+      };
+    };
+  };
+  config = {
    networking = {
      networkmanager.enable = true;
    };
+
    systemd.services = {
      NetworkManager-wait-online.enable = false;
    };
+
+    services.resolved.enable = true;
+
    environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [
      pkgs.openvpn3
      pkgs.mullvad-vpn
      pkgs.wireguard-tools # tools for the wireguard secure network tunnel
    ];
    services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable;
+
+    age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
+      keys-wireguard-dryborg-privatekey = {
+        file = ../../secrets/keys/wireguard/dryborg/privatekey.age;
+      };
+      keys-wireguard-dryborg-presharedkey = {
+        file = ../../secrets/keys/wireguard/dryborg/presharedkey.age;
+      };
+    };
+
+    networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
+      "vpn.dryb.org" = {
+        autostart = false;
+        privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path;
+        address = [ "10.200.200.1/24" ];
+        dns = [ "192.168.2.1" ];
+        peers = [
+          {
+            publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs=";
+            presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path;
+            allowedIPs = [ "0.0.0.0/0" ];
+            endpoint = "vpn.dryb.org:53280";
+            persistentKeepalive = 21;
+          }
+        ];
+      };
+    };
+  };
 }
--- a/modules/home-manager/gui/waybar.nix
+++ b/modules/home-manager/gui/waybar.nix
@ -1,4 +1,4 @@
-{ pkgs, nixosConfig, ... }:
+{ pkgs, nixosConfig, lib, ... }:
 let
  check-battery = pkgs.writeShellScript "check-battery" ''
    bat=/sys/class/power_supply/BAT0
@ -18,18 +18,18 @@ let
      rm $FILE
    fi
  '';
-  tailscale-status = pkgs.writeShellScript "tailscale-status" ''
-    if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then
+  vpn-dryb-org-status = pkgs.writeShellScript "vpn-dryb-org-status" ''
+    if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then
      echo " "
    else
      echo " "
    fi
  '';
-  tailscale-toggle = pkgs.writeShellScript "tailscale-toggle" ''
-    if ${nixosConfig.services.tailscale.package}/bin/tailscale status > /dev/null 2>&1; then
-      pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale down
+  vpn-dryb-org-toggle = pkgs.writeShellScript "vpn-dryb-org-toggle" ''
+    if ${nixosConfig.systemd.package}/bin/systemctl is-active wg-quick-vpn.dryb.org > /dev/null 2>&1; then
+      pkexec ${nixosConfig.systemd.package}/bin/systemctl stop wg-quick-vpn.dryb.org
    else
-      pkexec ${nixosConfig.services.tailscale.package}/bin/tailscale up --accept-routes --exit-node=j4m35-bl0nd
+      pkexec ${nixosConfig.systemd.package}/bin/systemctl start wg-quick-vpn.dryb.org
    fi
  '';
 in
@ -133,6 +133,7 @@ in
          "modules-right": [
            "tray",
            "network",
+            ${lib.optionalString (nixosConfig.bchmnn.collections.vpn.enable && nixosConfig.bchmnn.collections.vpn.dryborg.enable) "custom/vpndryborg,"}
            "custom/separator",
            "pulseaudio",
            "custom/separator",
@ -151,19 +152,19 @@ in
          "name": "swaybar",
          "network": {
            "format": "{ifname}",
-            "format-disconnected": "󰈂 ",
-            "format-ethernet": "eth 󰈁 ",
+            "format-disconnected": "󰈂",
+            "format-ethernet": "eth 󰈁",
            "format-wifi": "{signalStrength}%  ",
            "interval": 1,
-            "tooltip-format": "{ifname} via {gwaddr} 󰈁 ",
+            "tooltip-format": "{ifname} via {gwaddr} 󰈁",
            "tooltip-format-disconnected": "Disconnected",
            "tooltip-format-ethernet": "{ifname}  ",
            "tooltip-format-wifi": "{essid} ({signalStrength}%)  "
          },
-          "custom/tailscale": {
-            "exec": "${tailscale-status}",
-            "interval": 1,
-            "on-click": "${tailscale-toggle}",
+          "custom/vpndryborg": {
+            "exec": "${vpn-dryb-org-status}",
+            "interval": 10,
+            "on-click": "${vpn-dryb-org-toggle}",
          },
          "pulseaudio": {
            "format": "{volume}% {icon} {format_source}",
@ -301,7 +302,7 @@ in
        background: transparent;
      }

-      window.swaybar #custom-tailscale {
+      window.swaybar #custom-vpndryborg {
        padding-right: 6px;
        transition: none;
        color: black;
--- a/secrets/keys/wireguard/dryborg/presharedkey.age
+++ b/secrets/keys/wireguard/dryborg/presharedkey.age
--- a/secrets/keys/wireguard/dryborg/privatekey.age
+++ b/secrets/keys/wireguard/dryborg/privatekey.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE
+I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc
+-> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM
+yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA
+-> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM
+l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4
+--- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM
+,\à j^NåvÏ•Þì‘Çw‹‘”GÏ„I
äY‘Ô…D¨ËÕOÍÞÌ_‘œ@u¢“nõƒääúìÓàÙþ¶è¯”S'HŽ³&v)lQ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -17,10 +17,18 @@ let
    T430
    IROH
  ];
+
+  clients = [
+    T430
+    IROH
+  ];
+
 in
 {
  "environments/acme.age".publicKeys = users ++ [ APPA ];
  "environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
+  "keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients;
+  "keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients;
  "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
  "passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
  "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];