From 57a2373d5d3435db87c25246b454c26315c84179 Mon Sep 17 00:00:00 2001 From: kat witch Date: Thu, 21 Oct 2021 18:41:07 +0100 Subject: [PATCH] WIP migration to 0.4 --- config/hosts/daiyousei.nix | 3 ++- config/hosts/goliath.nix | 3 ++- config/hosts/koishi.nix | 3 ++- config/hosts/kyouko.nix | 3 ++- config/hosts/marisa.nix | 11 ++++---- config/hosts/rinnosuke.nix | 3 ++- config/hosts/shinmyoumaru.nix | 3 ++- config/hosts/yukari.nix | 3 ++- config/modules/nixos/yggdrasil.nix | 40 ++++++------------------------ config/profiles/gui/nfs.nix | 3 +-- config/profiles/network.nix | 12 +++------ 11 files changed, 31 insertions(+), 56 deletions(-) diff --git a/config/hosts/daiyousei.nix b/config/hosts/daiyousei.nix index 2ff41d3f..6eb1e648 100644 --- a/config/hosts/daiyousei.nix +++ b/config/hosts/daiyousei.nix @@ -30,7 +30,8 @@ network.yggdrasil = { enable = true; - pubkey = "0db7838e7cbab0dc0694f09b683b3a064bf63665415f2af47d1269c2861ffc20"; + pubkey = "edb7de263e6924b8c9446123979782420e5196317bffc75e9a6ca546551252da"; + address = "206:d807:a98:309f:3bc0:de7a:411d:9d95"; }; services.nginx.virtualHosts = diff --git a/config/hosts/goliath.nix b/config/hosts/goliath.nix index 1cf5976c..5b947804 100644 --- a/config/hosts/goliath.nix +++ b/config/hosts/goliath.nix @@ -235,7 +235,8 @@ }; yggdrasil = { enable = true; - pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47"; + pubkey = "9604cc51760376fa111e931aad1a71ab91f240517a7d60932c6646104b99db47"; + address = "200:d3f6:675d:13f9:120b:ddc2:d9ca:a5cb"; listen.enable = false; listen.endpoints = [ "tcp://0.0.0.0:0" ]; }; diff --git a/config/hosts/koishi.nix b/config/hosts/koishi.nix index 20b8f1e4..4d5d05e2 100644 --- a/config/hosts/koishi.nix +++ b/config/hosts/koishi.nix @@ -80,7 +80,8 @@ }; yggdrasil = { enable = true; - pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653"; + pubkey = "f94d49458822a73d70306b249a39d4de8a292b13e12339b21010001133417be7"; + address = "200:d65:6d74:efba:b185:1f9f:29b6:cb8c"; listen.enable = false; listen.endpoints = [ "tcp://0.0.0.0:0" ]; }; diff --git a/config/hosts/kyouko.nix b/config/hosts/kyouko.nix index 2fdbfd7f..ec0eae69 100644 --- a/config/hosts/kyouko.nix +++ b/config/hosts/kyouko.nix @@ -102,7 +102,8 @@ with lib; }; yggdrasil = { enable = true; - pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575"; + pubkey = "0da9fce0b282c63b449a813183e8fa15d1480b344228068f2af860afafa8928d"; + address = "204:4ac0:63e9:afa7:3897:6caf:d9cf:82e0"; listen.enable = true; listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ]; }; diff --git a/config/hosts/marisa.nix b/config/hosts/marisa.nix index 0826d3f9..31ac1004 100644 --- a/config/hosts/marisa.nix +++ b/config/hosts/marisa.nix @@ -67,14 +67,15 @@ }; yggdrasil = { enable = true; - pubkey = "3b171319fbb6be1716c99f36b83a70346ec655d99afde410a50ca61a1c278c7c"; + pubkey = "2134779f3e19e7df46113a814e9a87097839b9d557ebe3856423e148abcfe582"; + address = "202:f65c:4306:f30:c105:cf76:2bf5:8b2b"; listen.enable = true; listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ]; }; firewall = { public = { interfaces = singleton "ens3"; - tcp.ports = singleton 62969; + tcp.ports = singleton 52969; }; private.interfaces = singleton "yggdrasil"; }; @@ -83,18 +84,18 @@ # Youko WG networking.wireguard.interfaces.wg-youko = { ips = [ - "10.42.68.1/24" + "10.42.68.1/32" ]; listenPort = 51219; peers = [ { allowedIPs = [ - "10.42.68.1/24" + "10.42.68.0/24" ]; publicKey = "nc7mpg2tbawWR9xjFsk/loxAMtRhEZ49PCJXNYk/Qm8="; } ]; - privateKeyFile = config.secrets.files.wg-youko-privkey.file; + privateKeyFile = config.secrets.files.wg-youko-privkey.path; }; kw.secrets.variables.wg-youko-privkey = { diff --git a/config/hosts/rinnosuke.nix b/config/hosts/rinnosuke.nix index ec321951..521b9640 100644 --- a/config/hosts/rinnosuke.nix +++ b/config/hosts/rinnosuke.nix @@ -23,7 +23,8 @@ network = { yggdrasil = { enable = true; - pubkey = "d3db7b089f3cb2d33e18c77b8f9a5a08185798143822b219dbc938aa37d29310"; + pubkey = "fc64ee574072ef7420ff98bc53856f881025de252081e661a78e04ebcf7c6b35"; + address = "200:736:2351:7f1a:2117:be00:ce87:58f5"; }; }; diff --git a/config/hosts/shinmyoumaru.nix b/config/hosts/shinmyoumaru.nix index 7267e8b5..e9737820 100644 --- a/config/hosts/shinmyoumaru.nix +++ b/config/hosts/shinmyoumaru.nix @@ -44,7 +44,8 @@ }; yggdrasil = { enable = true; - pubkey = "5ba8c9f8627b6e5da938e6dec6e0a66287490e28084e58125330b7a8812cc22e"; + pubkey = "70c18030247e98fdffe4fd81f5fa8c7c4ed43fd6a4fb2b5ef7af0a010d08f63c"; + address = "200:691b:b4fb:6987:711f:bde:9b5c:8af3"; listen.enable = false; listen.endpoints = [ "tcp://0.0.0.0:0" ]; }; diff --git a/config/hosts/yukari.nix b/config/hosts/yukari.nix index 04c6a25f..bbf4d0c7 100644 --- a/config/hosts/yukari.nix +++ b/config/hosts/yukari.nix @@ -106,7 +106,8 @@ }; yggdrasil = { enable = true; - pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52"; + pubkey = "4f8fb0817afcd6211fb6a2cac2893df7d3f12c5c99eed106718d7223468473b2"; + address = "201:c1c1:3dfa:140c:a77b:8125:74d4:f5db"; listen.enable = false; listen.endpoints = [ "tcp://0.0.0.0:0" ]; }; diff --git a/config/modules/nixos/yggdrasil.nix b/config/modules/nixos/yggdrasil.nix index 5e73f869..cec843be 100644 --- a/config/modules/nixos/yggdrasil.nix +++ b/config/modules/nixos/yggdrasil.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.network.yggdrasil; calcAddr = pubkey: lib.readFile (pkgs.runCommandNoCC "calcaddr-${pubkey}" { } '' - echo '{ EncryptionPublicKey: "${pubkey}" }' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -address | tr -d '\n' > $out + echo '{ SigningPublicKey: "${pubkey}" }' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -address | tr -d '\n' > $out '').outPath; in { @@ -17,8 +17,9 @@ in }; address = mkOption { type = types.str; - description = "Main Yggdrasil address. Set automatically"; - default = calcAddr cfg.pubkey; + #description = "Main Yggdrasil address. Set automatically"; + #default = calcAddr cfg.signingPubkey; + default = ""; }; trust = mkOption { type = types.bool; @@ -122,46 +123,19 @@ in enable = true; persistentKeys = true; config = { - AllowedEncryptionPublicKeys = pubkeys; + AllowedPublicKeys = pubkeys; IfName = "yggdrasil"; Listen = cfg.listen.endpoints; Peers = lib.flatten (cfg.extern.endpoints ++ (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs))); - SessionFirewall = { - Enable = true; - AllowFromRemote = false; - WhitelistEncryptionPublicKeys = pubkeys; - }; - TunnelRouting = - let - subnets = v: ( - listToAttrs (flatten (map (c: map (net: nameValuePair net c.pubkey) c.tunnel."localV${toString v}") yggConfigs)) - ) // cfg.tunnel."remoteV${toString v}"; - in - { - Enable = true; - IPv4LocalSubnets = cfg.tunnel.localV4 ++ cfg.extra.localV4; - IPv6LocalSubnets = cfg.tunnel.localV6 ++ cfg.extra.localV6; - IPv4RemoteSubnets = subnets 4; - IPv6RemoteSubnets = subnets 6; - }; }; }; - systemd.services.yggdrasil.postStart = - let - yggTun = config.services.yggdrasil.config.TunnelRouting; - addNets = v: nets: concatMapStringsSep "\n" (net: "${pkgs.iproute}/bin/ip -${toString v} route add ${net} dev yggdrasil") (attrNames nets); - in - "sleep 1\n" + (concatMapStringsSep "\n" (v: addNets v yggTun."IPv${toString v}RemoteSubnets") [ 4 6 ]); - system.build.yggdrasilTemplate = let json = builtins.toJSON { inherit (config.services.yggdrasil.config) Peers SessionFirewall TunnelRouting; - EncryptionPublicKey = ""; - EncryptionPrivateKey = ""; - SigningPublicKey = ""; - SigningPrivateKey = ""; + PublicKey = ""; + PrivateKey = ""; }; in pkgs.runCommandNoCC "yggdrasil-template.json" { } diff --git a/config/profiles/gui/nfs.nix b/config/profiles/gui/nfs.nix index 33126217..51dcc51c 100644 --- a/config/profiles/gui/nfs.nix +++ b/config/profiles/gui/nfs.nix @@ -3,13 +3,12 @@ { boot.supportedFilesystems = [ "nfs" ]; - /* + fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") { device = "${meta.network.nodes.yukari.network.addresses.wireguard.domain}:/mnt/zraw/media"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ]; }; - */ /* fileSystems."/mnt/hex-corn" = { diff --git a/config/profiles/network.nix b/config/profiles/network.nix index 81c0298c..77dae1d9 100644 --- a/config/profiles/network.nix +++ b/config/profiles/network.nix @@ -10,15 +10,7 @@ config = { network.yggdrasil.extern = let - hexchen = (import sources.hexchen) { }; - hexYgg = filterAttrs (_: c: c.enable) - (mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts); in { - endpoints = flatten (map (c: c.listen.endpoints) (filter - (c: - c.listen.enable && (c.pubkey - != "0000000000000000000000000000000000000000000000000000000000000000")) - (attrValues hexYgg))); pubkeys = { satorin = "53d99a74a648ff7bd5bc9ba68ef4f472fb4fb8b2e26dfecea33c781f0d5c9525"; @@ -28,7 +20,9 @@ "2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330"; boline = "89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43"; - } // (mapAttrs (_: c: c.pubkey) hexYgg); + okami = + "f8fd12c6ed924048e93a7bd7dd63c2464813c9edddfef7415c4574518ecd4757"; + }; }; networking.firewall.extraCommands = "ip6tables -A INPUT -p 89 -i wgmesh-+ -j ACCEPT";