diff --git a/configuration/common/backup.nix b/configuration/common/backup.nix new file mode 100644 index 0000000..7cb500f --- /dev/null +++ b/configuration/common/backup.nix @@ -0,0 +1,12 @@ +{ ... }: + +{ + + clerie.backup = { + targets = { + cyan.serverName = "cyan.backup.clerie.de"; + magenta.serverName = "magenta.backup.clerie.de"; + }; + }; + +} diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 21d8fd3..892f0e3 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -4,115 +4,17 @@ imports = [ ../../modules + ./backup.nix + ./locale.nix + ./nix.nix + ./programs.nix + ./ssh.nix + ./user.nix ./web.nix ]; - networking.domain = "net.clerie.de"; - - networking.firewall.logRefusedConnections = lib.mkDefault false; - - time.timeZone = "Europe/Berlin"; - - i18n.defaultLocale = "de_DE.UTF-8"; - i18n.extraLocaleSettings = { - LC_MESSAGES = "en_US.UTF-8"; - }; - console = { - keyMap = "de-latin1"; - }; - - security.sudo.wheelNeedsPassword = lib.mkDefault false; - - users.groups.guests = {}; - - nix.settings = { - trusted-users = [ "@wheel" "@guests" ]; - auto-optimise-store = true; - # Keep buildtime dependencies - keep-outputs = true; - # Build local, when caches are broken - fallback = true; - }; - - environment.systemPackages = with pkgs; [ - gptfdisk - htop - parted - tmux - colmena - vim - agenix - ]; - - programs.mtr.enable = true; - - programs.git.enable = true; - - programs.git.config = { - user = { - name = "clerie"; - email = "git@clerie.de"; - }; - }; - - services.openssh.enable = true; - services.openssh.settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkDefault "no"; - }; - - nix.gc = lib.mkDefault { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - - nix.settings = { - experimental-features = [ - "flakes" - "nix-command" - "repl-flake" - ]; - substituters = [ - "https://nix-cache.clerie.de" - ]; - trusted-public-keys = [ - "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" - ]; - }; - - # Pin current nixpkgs channel and flake registry to the nixpkgs version - # the host got build with - nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ]; - nix.registry = lib.mkForce { - "nixpkgs" = { - from = { - type = "indirect"; - id = "nixpkgs"; - }; - to = { - type = "path"; - path = lib.cleanSource pkgs.path; - }; - exact = true; - }; - }; - services.fstrim.enable = true; - clerie.nixfiles.enable = true; - - clerie.backup = { - targets = { - cyan.serverName = "cyan.backup.clerie.de"; - magenta.serverName = "magenta.backup.clerie.de"; - }; - }; - - documentation.doc.enable = false; - nixpkgs.overlays = [ (import ../../pkgs/overlay.nix) ]; diff --git a/configuration/common/locale.nix b/configuration/common/locale.nix new file mode 100644 index 0000000..fbaed26 --- /dev/null +++ b/configuration/common/locale.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "de_DE.UTF-8"; + i18n.extraLocaleSettings = { + LC_MESSAGES = "en_US.UTF-8"; + }; + console = { + keyMap = "de-latin1"; + }; + +} diff --git a/configuration/common/networking.nix b/configuration/common/networking.nix new file mode 100644 index 0000000..b2d3bb9 --- /dev/null +++ b/configuration/common/networking.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + + networking.domain = "net.clerie.de"; + + networking.firewall.logRefusedConnections = lib.mkDefault false; + +} diff --git a/configuration/common/nix.nix b/configuration/common/nix.nix new file mode 100644 index 0000000..29d681a --- /dev/null +++ b/configuration/common/nix.nix @@ -0,0 +1,56 @@ +{ lib, pkgs, ... }: + +{ + + clerie.nixfiles.enable = true; + + nix.settings = { + trusted-users = [ "@wheel" "@guests" ]; + auto-optimise-store = true; + # Keep buildtime dependencies + keep-outputs = true; + # Build local, when caches are broken + fallback = true; + }; + + nix.gc = lib.mkDefault { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + + nix.settings = { + experimental-features = [ + "flakes" + "nix-command" + "repl-flake" + ]; + substituters = [ + "https://nix-cache.clerie.de" + ]; + trusted-public-keys = [ + "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" + ]; + }; + + # Pin current nixpkgs channel and flake registry to the nixpkgs version + # the host got build with + nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ]; + nix.registry = lib.mkForce { + "nixpkgs" = { + from = { + type = "indirect"; + id = "nixpkgs"; + }; + to = { + type = "path"; + path = lib.cleanSource pkgs.path; + }; + exact = true; + }; + }; + + documentation.doc.enable = false; + +} diff --git a/configuration/common/programs.nix b/configuration/common/programs.nix new file mode 100644 index 0000000..8b4d56a --- /dev/null +++ b/configuration/common/programs.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: + +{ + + environment.systemPackages = with pkgs; [ + gptfdisk + htop + parted + tmux + colmena + vim + agenix + ]; + + programs.mtr.enable = true; + + programs.git.enable = true; + + programs.git.config = { + user = { + name = "clerie"; + email = "git@clerie.de"; + }; + }; + +} diff --git a/configuration/common/ssh.nix b/configuration/common/ssh.nix new file mode 100644 index 0000000..e62aab5 --- /dev/null +++ b/configuration/common/ssh.nix @@ -0,0 +1,16 @@ +{ lib, ... }: + +{ + + services.openssh.enable = true; + services.openssh.settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkDefault "no"; + }; + services.openssh.hostKeys = lib.mkForce [ + # Only create ed25519 host keys + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + +} diff --git a/configuration/common/user.nix b/configuration/common/user.nix new file mode 100644 index 0000000..cb469e8 --- /dev/null +++ b/configuration/common/user.nix @@ -0,0 +1,9 @@ +{ lib, ... }: + +{ + + security.sudo.wheelNeedsPassword = lib.mkDefault false; + + users.groups.guests = {}; + +} diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix index bea60ad..e78c336 100644 --- a/hosts/gatekeeper/configuration.nix +++ b/hosts/gatekeeper/configuration.nix @@ -102,6 +102,11 @@ allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ]; publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE="; } + { + # zinc-initrd + allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ]; + publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs="; + } ]; listenPort = 51820; allowedIPsAsRoutes = false; diff --git a/hosts/krypton/programs.nix b/hosts/krypton/programs.nix index 9cc240c..0531144 100644 --- a/hosts/krypton/programs.nix +++ b/hosts/krypton/programs.nix @@ -12,6 +12,8 @@ element-desktop signal-desktop dino + fractal-next + tio xournalpp diff --git a/hosts/zinc/configuration.nix b/hosts/zinc/configuration.nix index 37f2827..385d246 100644 --- a/hosts/zinc/configuration.nix +++ b/hosts/zinc/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix + ./initrd.nix ]; # Use the systemd-boot EFI boot loader. @@ -18,19 +19,6 @@ }; }; - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - port = 1022; - shell = "/bin/cryptsetup-askpass"; - authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys; - hostKeys = [ - "/var/src/secrets/initrd/ssh_host_ed25519_key" - ]; - }; - boot.initrd.kernelModules = [ "igc" ]; - boot.kernelParams = [ "ip=dhcp" ]; - networking.hostName = "zinc"; services.wg-clerie = { diff --git a/hosts/zinc/initrd.nix b/hosts/zinc/initrd.nix new file mode 100644 index 0000000..fa69543 --- /dev/null +++ b/hosts/zinc/initrd.nix @@ -0,0 +1,28 @@ +{ config, ... }: + +{ + + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 1022; + #shell = "/bin/cryptsetup-askpass"; + authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys; + hostKeys = [ + "/var/src/secrets/initrd/ssh_host_ed25519_key" + ]; + }; + boot.initrd.kernelModules = [ + "igc" # integrated rj45 network interface + "cdc_ether" # external 5G modem via usb + ]; + boot.kernelParams = [ "ip=dhcp" ]; + + boot.initrd.network.wireguard = { + enable = true; + ipv6s = [ "2a01:4f8:c0c:15f1::8110/128" ]; + ipv4s = [ "10.20.30.110/32" ]; + privateKeyFile = "/var/src/secrets/wireguard/wg-initrd"; + }; + +} diff --git a/hosts/zinc/secrets/wg-clerie.age b/hosts/zinc/secrets/wg-clerie.age index 10dddfb..6df5bd9 100644 --- a/hosts/zinc/secrets/wg-clerie.age +++ b/hosts/zinc/secrets/wg-clerie.age @@ -1,9 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 HwR33w GylpkU4Ggva7AOyvfiwH2/lAkSH7T20sQmHlJfOOch0 -kzollmoX54CmDyP0WIeI2yEmgdiymf8A8TNEDAPnO8Y --> ssh-ed25519 bZcGZQ GwcT/xiAoRIN1OfV+uDIcpw+lX+ZC20AmOLg6B2PM3k -YnhZzPHao9tgl1RssSFFWtCb2soWv3XyfKgfIM+brJo --> +>1#-grease -yEhsdkJvmaW0F1hgD6zkMgmUE0Rc7zFQ9jz/dJ0RC/MOFGDt0g ---- zLB+ok+CDy2k2PhSlyDTfVTSkiM9ht2YjohIwKVaMis -r#]ˈp'X;qQk%W4W+5Y2̕b(a=2tc<*^r \ No newline at end of file +-> ssh-ed25519 HwR33w RJr/aWAuz9pHJyeiT4VGl24oBL3PW/h2yhMlNKdeH3k +KsHqO3xKdVMgtgXFYFKD7sapwaQBDX70yUMwFqVSsc4 +-> ssh-ed25519 h49YJA woMEtKliLp92iPq8OFK2okbFbZbqtsH2LIRYyBQEs1U +BJRYOXn4Yg5IzJxOukdzvlrZadralTdJg7FKcz4yV9c +-> 5R?-grease @H*!dd.z qES\G 7JLNzC +AzZ7dZCu+BRUNqJ7Qikw8fbSxSlP7IOm1/9DmYNm6KJIQbNLqrdCfMI8i5G7hbEG +pGVLYCrnZudEPKmEI7WtgGsQ +--- DEhkE0BvIaahPO/+T8NzqSCNg2hmbdCwTSF2faMECgk +߃Cиgu1" Zc1 53)bf]QDF k:c;iQwnqTbmbcHoo \ No newline at end of file diff --git a/hosts/zinc/ssh.pub b/hosts/zinc/ssh.pub index c729cda..6738f96 100644 --- a/hosts/zinc/ssh.pub +++ b/hosts/zinc/ssh.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMhwaD2nyIUiR3lP6tasd4Rx6XCoSpdebjlETfuENai root@zinc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/HUikWFjhmlXkcyx9cQH9YQFqsu38xUt5mFXBjNbYR diff --git a/modules/default.nix b/modules/default.nix index 4e3c341..8271876 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -15,5 +15,6 @@ ./nixfiles ./update-from-hydra ./wg-clerie + ./wireguard-initrd ]; } diff --git a/modules/wireguard-initrd/default.nix b/modules/wireguard-initrd/default.nix new file mode 100644 index 0000000..6c1afb3 --- /dev/null +++ b/modules/wireguard-initrd/default.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.boot.initrd.network.wireguard; +in + +{ + options = { + boot.initrd.network.wireguard = { + enable = mkEnableOption "Wireguard in initrd"; + privateKeyFile = mkOption { + type = with types; nullOr str; + default = null; + description = "Path to file containing private key for wireguard interface"; + }; + ipv6s = mkOption { + type = with types; listOf str; + default = []; + description = "IPv6 interface addresses"; + }; + ipv4s = mkOption { + type = with types; listOf str; + default = []; + description = "IPv4 interface addresses"; + }; + }; + }; + + config = mkIf cfg.enable { + boot.initrd.kernelModules = [ "wireguard" ]; + + boot.initrd.extraUtilsCommands = '' + for BIN in ${pkgs.iproute2}/bin/*; do + copy_bin_and_libs $BIN + done + [ -f "$out/bin/wg" ] && rm "$out/bin/wg" + cp -pdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg + ''; + + boot.initrd.network.postCommands = '' + ip link add dev "wg-initrd" type wireguard + + ${concatMapStringsSep "\n" (ip: '' + ip address add "${ip}" dev "wg-initrd" + '') cfg.ipv6s} + ${concatMapStringsSep "\n" (ip: '' + ip address add "${ip}" dev "wg-initrd" + '') cfg.ipv4s} + + wg set "wg-initrd" private-key "/var/src/secrets/wireguard/wg-initrd" + + ip link set up "wg-initrd" + + wg set "wg-initrd" peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" \ + endpoint "$(ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null && echo '[2a01:4f8:c0c:15f1::1]:51820' || echo '78.47.183.82:51820')" \ + persistent-keepalive "25" \ + allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113" + + ip route add "::/0" dev "wg-initrd" table 1337 + ip route add "0.0.0.0/0" dev "wg-initrd" table 1337 + + + ${concatMapStringsSep "\n" (ip: '' + ip -6 rule add from "${ip}" lookup 1337 prio 19000 + ip -6 rule add from "${ip}" unreachable prio 19001 + '') cfg.ipv6s} + ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000 + ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001 + ip -6 rule add lookup main prio 21000 + ip -6 rule add lookup 1337 prio 21001 + ip -6 rule add unreachable prio 21000 + + + ${concatMapStringsSep "\n" (ip: '' + ip -4 rule add from "${ip}" lookup 1337 prio 19000 + ip -4 rule add from "${ip}" unreachable prio 19001 + '') cfg.ipv4s} + ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000 + ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001 + ip -4 rule add lookup main prio 21000 + ip -4 rule add lookup 1337 prio 21001 + ip -4 rule add unreachable prio 21000 + ''; + + boot.initrd.postMountCommands = '' + ip link del dev "wg-initrd" + + ip -6 rule flush + ip -4 rule flush + ''; + + boot.initrd.secrets = { + "/var/src/secrets/wireguard/wg-initrd" = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile; + }; + }; +}