From 3ec00be4d03d32a489c969ed3dc5d354d0d80aad Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:06:51 +0100
Subject: [PATCH 01/10] profiles/wg-clerie: Migrate wg-clerie to
systemd-networkd
---
profiles/default.nix | 1 +
profiles/wg-clerie/default.nix | 163 +++++++++++++++++++++++++++++++++
2 files changed, 164 insertions(+)
create mode 100644 profiles/wg-clerie/default.nix
diff --git a/profiles/default.nix b/profiles/default.nix
index 04aecfb..3daf86a 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -9,6 +9,7 @@
./mercury-vm
./netcup
./network-fallback-dhcp
+ ./wg-clerie
];
}
diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix
new file mode 100644
index 0000000..b6a6bf7
--- /dev/null
+++ b/profiles/wg-clerie/default.nix
@@ -0,0 +1,163 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.profiles.clerie.wg-clerie;
+in
+
+{
+ options = {
+ profiles.clerie.wg-clerie = {
+ enable = mkEnableOption "VPN for public static IP";
+ privateKeyFile = mkOption {
+ type = with types; nullOr str;
+ default = null;
+ description = "Path to file containing private key for wireguard interface";
+ };
+ ipv6s = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "IPv6 interface addresses";
+ };
+ ipv4s = mkOption {
+ type = with types; listOf str;
+ default = [];
+ description = "IPv4 interface addresses";
+ };
+ defaultViaVPN = mkOption {
+ type = types.bool;
+ default = true;
+ description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+
+ systemd.network.config.routeTables = {
+ wg-clerie = 200;
+ };
+ systemd.network.config.addRouteTablesToIPRoute2 = true;
+
+ sops.secrets.wg-clerie = {
+ owner = "systemd-network";
+ group = "systemd-network";
+ };
+
+ systemd.network.netdevs."10-wg-clerie" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "wg-clerie";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
+ config.sops.secrets.wg-clerie.path;
+ RouteTable = "wg-clerie";
+ };
+ wireguardPeers = [
+ {
+ PublicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
+ AllowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
+ Endpoint = "78.47.183.82:51820";
+ PersistentKeepalive = 25;
+ }
+ ];
+ };
+
+ systemd.network.networks."10-wg-clerie" = {
+ matchConfig.Name = "wg-clerie";
+ address = cfg.ipv6s ++ cfg.ipv4s;
+ routingPolicyRules = (builtins.map
+ (ip: {
+ Priority = 19000;
+ Family = "ipv6";
+ From = ip;
+ #Type = "table";
+ Table = "wg-clerie";
+ })
+ cfg.ipv6s
+ ) ++ (builtins.map
+ (ip: {
+ Priority = 19001;
+ Family = "ipv6";
+ From = ip;
+ Type = "unreachable";
+ })
+ cfg.ipv6s
+ ) ++ (builtins.map
+ (ip: {
+ Priority = 19000;
+ Family = "ipv4";
+ From = ip;
+ #Type = "table";
+ Table = "wg-clerie";
+ })
+ cfg.ipv4s
+ ) ++ (builtins.map
+ (ip: {
+ Priority = 19001;
+ Family = "ipv4";
+ From = ip;
+ Type = "unreachable";
+ })
+ cfg.ipv4s
+ ) ++ [
+ {
+ Priority = 20000;
+ Family = "ipv6";
+ To = "2a01:4f8:c0c:15f1::1/128";
+ IPProtocol = "udp";
+ DestinationPort = 51820;
+ #Type = "table";
+ Table = "main";
+ }
+ {
+ Priority = 20001;
+ Family = "ipv6";
+ To = "2a01:4f8:c0c:15f1::1/128";
+ IPProtocol = "udp";
+ DestinationPort = 51820;
+ Type = "unreachable";
+ }
+ {
+ Priority = 20000;
+ Family = "ipv4";
+ To = "78.47.183.82/32";
+ IPProtocol = "udp";
+ DestinationPort = 51820;
+ #Type = "table";
+ Table = "main";
+ }
+ {
+ Priority = 20001;
+ Family = "ipv4";
+ To = "78.47.183.82/32";
+ IPProtocol = "udp";
+ DestinationPort = 51820;
+ Type = "unreachable";
+ }
+ {
+ Priority = 21000;
+ Family = "both";
+ #Type = "table";
+ Table = "main";
+ }
+ ] ++ (if cfg.defaultViaVPN then [
+ {
+ Priority = 21001;
+ Family = "both";
+ #Type = "table";
+ Table = "wg-clerie";
+ }
+ ] else []) ++ [
+ {
+ Priority = 22000;
+ Family = "both";
+ Type = "unreachable";
+ }
+ ];
+ };
+
+ };
+}
From effb386e518ed79fd34f7a81892cd26f88564613 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:30:10 +0100
Subject: [PATCH 02/10] profiles/wg-clerie: Only configure sops secret if we
want to use that
---
profiles/wg-clerie/default.nix | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix
index b6a6bf7..a845187 100644
--- a/profiles/wg-clerie/default.nix
+++ b/profiles/wg-clerie/default.nix
@@ -40,10 +40,12 @@ in
};
systemd.network.config.addRouteTablesToIPRoute2 = true;
- sops.secrets.wg-clerie = {
- owner = "systemd-network";
- group = "systemd-network";
- };
+ sops = (mkIf (cfg.privateKeyFile == null) {
+ secrets.wg-clerie = {
+ owner = "systemd-network";
+ group = "systemd-network";
+ };
+ });
systemd.network.netdevs."10-wg-clerie" = {
netdevConfig = {
From 5a719c2f01546bbeef546620b85140bf73b03bd8 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:30:47 +0100
Subject: [PATCH 03/10] hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate
to profiles.clerie.wg-clerie
---
hosts/astatine/configuration.nix | 11 ++++-----
hosts/beryllium/configuration.nix | 40 +++++--------------------------
hosts/tungsten/configuration.nix | 10 ++++----
3 files changed, 16 insertions(+), 45 deletions(-)
diff --git a/hosts/astatine/configuration.nix b/hosts/astatine/configuration.nix
index ea8cac3..72ad6bd 100644
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -19,14 +19,13 @@
";
networking.useDHCP = false;
-
systemd.network.enable = true;
- #services.wg-clerie = {
- # enable = true;
- # ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
- # ipv4s = [ "10.20.30.108/32" ];
- #};
+ profiles.clerie.wg-clerie = {
+ enable = true;
+ ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
+ ipv4s = [ "10.20.30.108/32" ];
+ };
clerie.monitoring = {
enable = true;
diff --git a/hosts/beryllium/configuration.nix b/hosts/beryllium/configuration.nix
index 15235da..274d44c 100644
--- a/hosts/beryllium/configuration.nix
+++ b/hosts/beryllium/configuration.nix
@@ -25,40 +25,12 @@
networking.firewall.enable = false;
- #networking.iproute2.enable = true;
- #networking.iproute2.rttablesExtraConfig = ''
- # 200 wg-clerie
- #'';
-
- #petabyte.policyrouting = {
- # enable = true;
- # rules6 = [
- # { rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
- # { rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
- # ];
- # rules4 = [
- # { rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
- # { rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
- # ];
- #};
-
-
- #networking.wireguard.enable = true;
- #networking.wireguard.interfaces = {
- # wg-clerie = {
- # ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
- # table = "wg-clerie";
- # peers = [
- # {
- # endpoint = "vpn.clerie.de:51820";
- # persistentKeepalive = 25;
- # allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
- # publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
- # }
- # ];
- # privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
- # };
- #};
+ profiles.clerie.wg-clerie = {
+ enable = true;
+ ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
+ ipv4s = [ "10.20.30.107/32" ];
+ privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
+ };
clerie.monitoring = {
enable = true;
diff --git a/hosts/tungsten/configuration.nix b/hosts/tungsten/configuration.nix
index f1028db..2751f57 100644
--- a/hosts/tungsten/configuration.nix
+++ b/hosts/tungsten/configuration.nix
@@ -23,11 +23,11 @@
networking.hostName = "tungsten";
- #services.wg-clerie = {
- # enable = true;
- # ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
- # ipv4s = [ "10.20.30.112/32" ];
- #};
+ profiles.clerie.wg-clerie = {
+ enable = true;
+ ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
+ ipv4s = [ "10.20.30.112/32" ];
+ };
clerie.monitoring = {
enable = true;
From 2d6afc20939461a93469da99ed905048d19209cc Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:43:57 +0100
Subject: [PATCH 04/10] profiles/wg-clerie: wg-clerie not required for online
---
profiles/wg-clerie/default.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix
index a845187..2bbd26a 100644
--- a/profiles/wg-clerie/default.nix
+++ b/profiles/wg-clerie/default.nix
@@ -70,6 +70,7 @@ in
systemd.network.networks."10-wg-clerie" = {
matchConfig.Name = "wg-clerie";
address = cfg.ipv6s ++ cfg.ipv4s;
+ linkConfig.RequiredForOnline = "no";
routingPolicyRules = (builtins.map
(ip: {
Priority = 19000;
From a29978c95aa687084dd78eac865c51eba44554ec Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:44:35 +0100
Subject: [PATCH 05/10] hosts/astatine: Migrate to systemd-network
---
hosts/aluminium/configuration.nix | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hosts/aluminium/configuration.nix b/hosts/aluminium/configuration.nix
index 6651cfd..87d0aa0 100644
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@@ -18,7 +18,10 @@
terminal_output serial
";
- services.wg-clerie = {
+ networking.useDHCP = false;
+ systemd.network.enable = true;
+
+ profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
ipv4s = [ "10.20.30.106/32" ];
From 7a210b13be98ee1f83701657efbc92072fd92e71 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:46:54 +0100
Subject: [PATCH 06/10] hosts/_iso: Migrate to systemd-network
---
hosts/_iso/configuration.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hosts/_iso/configuration.nix b/hosts/_iso/configuration.nix
index d971c32..b4af756 100644
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -6,11 +6,16 @@
../../configuration/gpg-ssh
];
+ profiles.clerie.network-fallback-dhcp.enable = true;
+
# systemd in initrd is broken with ISOs
# Failed to mount /sysroot/iso
# https://github.com/NixOS/nixpkgs/issues/327187
boot.initrd.systemd.enable = false;
+ networking.useDHCP = false;
+ systemd.network.enable = true;
+
networking.hostName = "isowo";
isoImage.isoBaseName = lib.mkForce "nixos-isowo";
From fed25f02d85b14733c1d0ddaf86b04cf0d349803 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 19:55:17 +0100
Subject: [PATCH 07/10] profiles/wg-clerie: Don't let NetworkManager touch the
VPN interface
---
profiles/wg-clerie/default.nix | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix
index 2bbd26a..9ae527e 100644
--- a/profiles/wg-clerie/default.nix
+++ b/profiles/wg-clerie/default.nix
@@ -47,6 +47,10 @@ in
};
});
+ networking.networkmanager.unmanaged = [
+ "interface-name:wg-clerie"
+ ];
+
systemd.network.netdevs."10-wg-clerie" = {
netdevConfig = {
Kind = "wireguard";
From de3bc903efc802d85b3252b09cc4d9b116170f17 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 20:03:39 +0100
Subject: [PATCH 08/10] profiles/common-networking: Centralize new network
config
---
profiles/common-networking/default.nix | 24 ++++++++++++++++++++++++
profiles/default.nix | 1 +
2 files changed, 25 insertions(+)
create mode 100644 profiles/common-networking/default.nix
diff --git a/profiles/common-networking/default.nix b/profiles/common-networking/default.nix
new file mode 100644
index 0000000..4a3b3b5
--- /dev/null
+++ b/profiles/common-networking/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+ options.profiles.clerie.common-networking = {
+ enable = mkEnableOption "Common networking config";
+ };
+
+ config = mkIf config.profiles.clerie.common-networking.enable {
+
+ # Disable scripted network
+ networking.useDHCP = false;
+ # Enable systemd-networkd
+ systemd.network.enable = true;
+
+ # Don't wait for online, if NetworkManger is running too
+ systemd.network.wait-online = mkIf (config.networking.networkmanager.enable == true) {
+ enable = false;
+ };
+
+ };
+}
diff --git a/profiles/default.nix b/profiles/default.nix
index 3daf86a..56cb944 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -3,6 +3,7 @@
{
imports = [
+ ./common-networking
./cybercluster-vm
./fem-net
./hetzner-cloud
From 9e7deadfb50591546027f1f4d64a6abb25560610 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Thu, 20 Mar 2025 20:07:06 +0100
Subject: [PATCH 09/10] hosts/krypton,hosts/zinc: Migrate to systemd-network
---
hosts/krypton/network.nix | 4 +++-
hosts/zinc/configuration.nix | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/hosts/krypton/network.nix b/hosts/krypton/network.nix
index 4197c76..fb71faf 100644
--- a/hosts/krypton/network.nix
+++ b/hosts/krypton/network.nix
@@ -1,7 +1,9 @@
{ ... }:
{
- services.wg-clerie = {
+ profiles.clerie.common-networking.enable = true;
+
+ profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
ipv4s = [ "10.20.30.11/32" ];
diff --git a/hosts/zinc/configuration.nix b/hosts/zinc/configuration.nix
index 13a428a..07c0747 100644
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -11,6 +11,8 @@
./programs.nix
];
+ profiles.clerie.common-networking.enable = true;
+
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@@ -25,7 +27,7 @@
boot.initrd.systemd.enable = false;
- services.wg-clerie = {
+ profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
ipv4s = [ "10.20.30.109/32" ];
From b9dd198835041f06a382f9a253d8367fd5e3a5c0 Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Fri, 21 Mar 2025 03:04:03 +0100
Subject: [PATCH 10/10] Update nixpkgs 2025-03-21-02-03
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index e7345fc..e8dd9f5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -533,11 +533,11 @@
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1742069588,
- "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
+ "lastModified": 1742422364,
+ "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
+ "rev": "a84ebe20c6bc2ecbcfb000a50776219f48d134cc",
"type": "github"
},
"original": {