feat: nix: added working wireguard connection between alligator and n…

…odes
Litarvan · Jul 6, 2023 · e8a7966 · e8a7966
1 parent 422fd64
commit e8a7966
Show file tree

Hide file tree

Showing 7 changed files with 138 additions and 23 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 /.idea
 /.secrets
-/result
+/result
+/tests
diff --git a/modules/users.nix b/modules/users.nix
@@ -26,7 +26,8 @@ in
 
   users.users.root = {
    shell = pkgs.fish;
-   openssh.authorizedKeys.keys = ifNetboot [ sshKeys.yubiForge ];
+   # openssh.authorizedKeys.keys = ifNetboot [ sshKeys.yubiForge ];
+   openssh.authorizedKeys.keys = [ sshKeys.yubiForge ];
   };
 
   programs.fish = {
@@ -39,7 +40,7 @@ in
     ports = [ 36255 ];
     settings = {
       PasswordAuthentication = false;
-      PermitRootLogin = ifNotNetboot "no";
+      # PermitRootLogin = ifNotNetboot "no";
     };
   };
 

diff --git a/systems/alligator/default.nix b/systems/alligator/default.nix
@@ -4,6 +4,7 @@
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
     ./nginx.nix
+    ./wireguard.nix
   ];
 
   boot = {

diff --git a/systems/alligator/nginx.nix b/systems/alligator/nginx.nix
@@ -1,5 +1,8 @@
 { config, pkgs, ... }:
 
+let
+  vars = import ../../vars;
+in
 {
   networking.firewall = {
     allowedTCPPorts = [ 80 443 ];
@@ -8,11 +11,17 @@
 
   security.acme = {
     acceptTerms = true;
-    defaults.email = "adrien1975" + "@" + "live.fr";
+    defaults.email = "adrien1975" + "@" + "live.fr"; # TODO: Change
     certs."pxe.alligator.litarvan.dev" = {
       keyType = "rsa2048"; # iPXE does not support EC*
       extraLegoRunFlags = [ "--preferred-chain" "ISRG Root X1" ]; # iPXE is missing some root certificates
     };
+    certs."litarvan.dev" = {
+      domain = "*.litarvan.dev";
+      dnsProvider = "netlify";
+      credentialsFile = "/var/lib/acme/netlify.env";
+      group = "nginx";
+    };
   };
 
   services.nginx = {
@@ -71,6 +80,12 @@
     in
     {
       "pxe.alligator.litarvan.dev" = folder "/var/www/pxe";
+
+      # This is in HTTP, but will still be encrypted through Wireguard, TODO: try using HTTPS though?
+      "*.litarvan.dev" = (proxy "http://${vars.wireguard.peers.leviathan-alpha.ips.v4}") // {
+        enableACME = false;
+        useACMEHost = "litarvan.dev";
+      };
     };
   };
 }
diff --git a/systems/alligator/wireguard.nix b/systems/alligator/wireguard.nix
@@ -0,0 +1,47 @@
+{ pkgs, ... }:
+
+let
+  vars = import ../../vars;
+in
+{
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+
+      externalInterface = "enp0s6";
+      internalInterfaces = [ vars.wireguard.interface ];
+    };
+
+    firewall.allowedUDPPorts = [ vars.wireguard.port ];
+
+    wg-quick.interfaces.${vars.wireguard.interface} = {
+      address = builtins.attrValues vars.wireguard.peers.alligator.ips;
+      listenPort = vars.wireguard.port;
+      mtu = 1420; # By adding this, I go from 0.5MB/s to 900MB/s :)
+
+      privateKeyFile = "/var/lib/wireguard/private-key";
+
+      postUp = ''
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${vars.wireguard.peers.alligator.ips.v4} -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${vars.wireguard.peers.alligator.ips.v6} -o eth0 -j MASQUERADE
+      '';
+      preDown = ''
+        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${vars.wireguard.peers.alligator.ips.v4} -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${vars.wireguard.peers.alligator.ips.v6} -o eth0 -j MASQUERADE
+      '';
+
+      peers = [
+        # Leviathan alpha
+        {
+          publicKey = vars.wireguard.peers.leviathan-alpha.publicKey;
+          allowedIPs = builtins.attrValues vars.wireguard.peers.leviathan-alpha.ips;
+        }
+      ];
+    };
+  };
+}
diff --git a/systems/alpha.nix b/systems/alpha.nix
@@ -1,5 +1,9 @@
 { lib, pkgs, ... }:
 
+let
+  alligatorHost = "alligator.litarvan.dev";
+  vars = import ../vars;
+in
 {
   boot = {
     initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "sd_mod" ];
@@ -16,14 +20,51 @@
   networking = {
     hostName = "leviathan-alpha";
     interfaces.eth0.useDHCP = true;
+
+    wg-quick.interfaces.${vars.wireguard.interface} = {
+      address = builtins.attrValues vars.wireguard.peers.leviathan-alpha.ips;
+      privateKeyFile = "/data/usb1/secrets/wireguard-private-key";
+
+      # When using privateKeyFile, the private-key is set in the postUp hook.
+      # But the PersistentKeepAlive parameter is then "reset", so we must apply it again.
+      postUp = ''
+        wg set ${vars.wireguard.interface} peer ${vars.wireguard.peers.alligator.publicKey} persistent-keepalive 25
+      '';
+
+      peers = [
+        # Alligator
+        {
+          endpoint = "${alligatorHost}:${vars.wireguard.port}";
+          publicKey = vars.wireguard.peers.alligator.publicKey;
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        }
+      ];
+    };
+  };
+
+  services = {
+    xserver.videoDrivers = [ "nvidia" ];
+    rke2 = {
+      enable = true;
+      bootstrapManifests = [
+        {
+          path = "/data/usb1/secrets/*";
+        }
+        {
+          type = "kustomization";
+          path = "github.com/Litarvan/leviathan/k8s/bootstrap";
+        }
+      ];
+    };
   };
 
-  services.xserver.videoDrivers = [ "nvidia" ];
-  hardware.opengl = {
-    enable = true;
-    driSupport32Bit = true;
+  hardware = {
+    opengl = {
+      enable = true;
+      driSupport32Bit = true;
+    };
+    nvidia.modesetting.enable = true;
   };
-  hardware.nvidia.modesetting.enable = true;
 
   nix.settings.max-jobs = lib.mkDefault 4;
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
@@ -44,18 +85,4 @@
       fsType = "vfat";
     };
   };
-
-  # environment.systemPackages = with pkgs; [ rke2 ];
-  services.rke2 = {
-    enable = true;
-    bootstrapManifests = [
-      {
-        path = "/data/usb1/secrets/*";
-      }
-      {
-        type = "kustomization";
-        path = "github.com/Litarvan/leviathan/k8s/bootstrap";
-      }
-    ];
-  };
 }
diff --git a/vars/default.nix b/vars/default.nix
@@ -0,0 +1,23 @@
+{
+  wireguard = {
+    interface = "alligator-guard";
+    port = "18635";
+
+    peers = {
+      alligator = {
+        ips = {
+          v4 = "10.0.1.1/24";
+          v6 = "fc00::1/64";
+        };
+        publicKey = "PGjLkVH2Fvrgqhnk0PoU8dRmExRdiQFPt0PbGvTlTWw=";
+      };
+      leviathan-alpha = {
+        ips = {
+          v4 = "10.0.1.2/32";
+          v6 = "fc00::2/128";
+        };
+        publicKey = "G0GWFJQ7Hwet89jMX5zzXSovM0vYZFaLC0t3Tau3Qn4=";
+      };
+    };
+  };
+}