From ab081f14ea5182ee11c5d0e2bbeb287b60e1417b Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 3 Jan 2021 17:38:59 +0100 Subject: [PATCH] add lumi-vpn module --- logical/blackadder.nix | 15 +++------------ logical/jarvis.nix | 14 +------------- modules/lumi-vpn.nix | 42 ++++++++++++++++++++++++++++++++++++++++++ roles/default.nix | 1 + roles/workstation.nix | 2 ++ 5 files changed, 49 insertions(+), 25 deletions(-) create mode 100644 modules/lumi-vpn.nix diff --git a/logical/blackadder.nix b/logical/blackadder.nix index 8ff2131..739156a 100644 --- a/logical/blackadder.nix +++ b/logical/blackadder.nix @@ -5,20 +5,11 @@ ../roles/workstation.nix ]; - nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "19.09"; - networking.wireguard.interfaces = { - wg-lumi = { - privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick-homepc.key"; - ips = [ "10.109.0.18" ]; - peers = [ { - publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; - endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; - }]; - postSetup = "ip link set dev wg-lumi mtu 1408"; - }; + yorick.lumi-vpn = { + name = "yorick-homepc"; + mtu = 1408; }; environment.systemPackages = [ pkgs.spice_gtk ]; security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper"; diff --git a/logical/jarvis.nix b/logical/jarvis.nix index adfe4ff..17d0cb0 100644 --- a/logical/jarvis.nix +++ b/logical/jarvis.nix @@ -5,19 +5,7 @@ ../roles/workstation.nix ]; - nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ]; system.stateVersion = "17.09"; - networking.wireguard.interfaces = { - wg-lumi = { - privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key"; - ips = [ "10.109.0.10" ]; - peers = [ { - publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; - endpoint = "wg.lumi.guide:31727"; - allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; - }]; - postSetup = "ip link set dev wg-lumi mtu 1371"; - }; - }; + yorick.lumi-vpn.name = "yorick"; } diff --git a/modules/lumi-vpn.nix b/modules/lumi-vpn.nix new file mode 100644 index 0000000..e49e0b1 --- /dev/null +++ b/modules/lumi-vpn.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.yorick.lumi-vpn; + addresses = import "${builtins.getEnv "HOME"}/engineering/lumi/os/gateway/addresses.nix" + { lib.ip4.ip = a: b: c: d: x: lib.concatStringsSep "." (map toString [ a b c d ]); }; +in +{ + options.yorick.lumi-vpn = with lib; { + enable = mkEnableOption "lumi vpn"; + name = mkOption { + type = types.str; + example = "yorick-homepc"; + }; + user = mkOption { + type = types.str; + default = "yorick"; + }; + mtu = mkOption { + type = types.int; + default = 1371; + }; + ip = mkOption { + type = types.str; + example = "10.109.0.1"; + default = addresses.workstations."${cfg.name}"; + }; + }; + config = lib.mkIf cfg.enable { + networking.wireguard.interfaces = { + wg-lumi = { + privateKeyFile = "/home/${cfg.user}/engineering/lumi/secrets/devel/vpn/wg/workstations.${cfg.name}.key"; + ips = [ cfg.ip ]; + peers = [ { + publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI="; + endpoint = "wg.lumi.guide:31727"; + allowedIPs = [ "10.96.0.0/12" "10.0.0.0/17" ]; + }]; + postSetup = "ip link set dev wg-lumi mtu ${toString cfg.mtu}"; + }; + }; + }; +} diff --git a/roles/default.nix b/roles/default.nix index 292cd6b..20780ea 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -9,6 +9,7 @@ in imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix + ../modules/lumi-vpn.nix ../deploy/keys.nix ../services ]; diff --git a/roles/workstation.nix b/roles/workstation.nix index 0e15a36..b36dac8 100644 --- a/roles/workstation.nix +++ b/roles/workstation.nix @@ -97,4 +97,6 @@ in # git boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000; + + yorick.lumi-vpn.enable = true; }