From 7c3729693f1461547f6ccb80254f67aa94ca5759 Mon Sep 17 00:00:00 2001 From: Stefan Ellmauthaler Date: Tue, 19 Jul 2022 14:07:07 +0200 Subject: [PATCH] Add network functionality - added network manager sops module - added wireguard skelleton (wip) --- .sops.yaml | 8 ++- common/wireguard.nix | 15 ++++++ flake.nix | 1 + machines/metis/default.nix | 5 +- modules/graphical.nix | 2 +- modules/network-manager/default.nix | 27 ++++++++++ modules/server/default.nix | 2 +- modules/wireguard.nix | 82 +++++++++++++++++++++++++++-- secrets/networks.yaml | 74 ++++++++++++++++++++++++++ 9 files changed, 208 insertions(+), 8 deletions(-) create mode 100644 common/wireguard.nix create mode 100644 modules/network-manager/default.nix create mode 100644 secrets/networks.yaml diff --git a/.sops.yaml b/.sops.yaml index dfef99e..8dd9b60 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,14 +9,18 @@ creation_rules: - *stefan_ellmauthaler - *stel-xps - *nucturne + - path_regex: secrets/networks\.yaml + key_groups: + - pgp: + - *stefan_ellmauthaler + - *stel-xps + - *nucturne - path_regex: secrets/server\.yaml key_groups: - pgp: - *stefan_ellmauthaler - *nucturne - - path_regex: machines/metis/secrets/[^/]+\.yaml key_groups: - pgp: - *stefan_ellmauthaler - diff --git a/common/wireguard.nix b/common/wireguard.nix new file mode 100644 index 0000000..e7609bf --- /dev/null +++ b/common/wireguard.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +with lib; { + config.elss.wireguard.interfaces = { + sellnet = { + # cough @ name + servers = { + metis = { + localIP = "1"; + publicKey = "bla"; + }; + }; + peers = { }; + }; + }; +} diff --git a/flake.nix b/flake.nix index 9044cde..96fafbe 100644 --- a/flake.nix +++ b/flake.nix @@ -102,6 +102,7 @@ inputs.sops-nix.nixosModules.sops inputs.dwarffs.nixosModules.dwarffs inputs.simple-nixos-mailserver.nixosModules.mailserver + ./common/wireguard.nix ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)); specialArgs = { nixos-hardware = inputs.nixos-hardware.nixosModules; diff --git a/machines/metis/default.nix b/machines/metis/default.nix index 784f49f..616f5e8 100644 --- a/machines/metis/default.nix +++ b/machines/metis/default.nix @@ -35,9 +35,12 @@ # enable server services server = { enable = true; - nextcloud.enable = true; + smailserver.enable = false; acme.staging = true; }; + + # enable wireguard + wireguard.enable = true; # user setup diff --git a/modules/graphical.nix b/modules/graphical.nix index 2d0b1d9..3ed8269 100644 --- a/modules/graphical.nix +++ b/modules/graphical.nix @@ -25,7 +25,7 @@ with lib; { in mkIf cfg.enable { elss.users.x11.enable = true; - networking.networkmanager.enable = true; + elss.networking.useNetworkManager = true; services = { xserver = { diff --git a/modules/network-manager/default.nix b/modules/network-manager/default.nix new file mode 100644 index 0000000..b4092a4 --- /dev/null +++ b/modules/network-manager/default.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, ...}: +with lib; { + options.elss.networking.useNetworkManager = mkEnableOption "enable networkmanager"; + + config = + let + connections = [ + # "tartaros" + # "eduroam" + ]; + + mkSopsSecrets = connection: { + "${connection}" = { + sopsFile = ../../secrets/networks.yaml; + path = "/run/NetworkManager/system-connections/${connection}.nmconnection"; + }; + }; + in + mkIf config.elss.networking.useNetworkManager { + networking.networkmanager = { + enable = true; + }; + + sops.secrets = mkMerge (map mkSopsSecrets connections); + }; +} + diff --git a/modules/server/default.nix b/modules/server/default.nix index a291717..dab6fb4 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -2,7 +2,7 @@ with lib; { options.elss.server.enable = mkEnableOption "Enable Mail, Web, and DB"; options.elss.server.nginx.enable = mkEnableOption "Set up nginx"; - options.elss.server.sql.enable = mkEnableOption "Set up sql (mariadb)"; + options.elss.server.sql.enable = mkEnableOption "Set up sql (postresql)"; options.elss.server.nextcloud.enable = mkEnableOption "Set up nextcloud"; options.elss.server.smailserver.enable = mkEnableOption "Set up simple mail server"; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 12b62d8..bad1a36 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -2,14 +2,90 @@ with lib; { options.elss.wireguard = { enable = mkEnableOption "Setup wireguard"; + interfaces = mkOption { + default = { }; + type = types.attrsOf + (types.submodule { + options = { + servers = mkOption { + type = types.attrsOf (types.submodule { + options = { + localIP = mkOption { + type = types.str; + description = "local IP for the interface"; + }; + port = mkOption { + type = types.port; + description = "Port to use"; + default = 51820; + }; + publickey = mkOption { + type = types.str; + description = "Wireguard public key for the server"; + }; + }; + }); + }; + + peers = mkOption { + type = types.attrsOf (types.submodule { + options = { + localIp = mkOption { + type = types.str; + description = "local IP for the peer"; + }; + publickey = mkOption { + type = types.str; + description = "Wireguard public key for the peer"; + }; + + setup = mkOption { + type = types.enum [ + "none" + "key" + "wg" + "nm" + ]; + description = "How to setup this peer. none does nothing, key only exports the secret, wg sets up wireguard for local cloud and nm adds a tunnel option"; + }; + }; + }); + }; + + prefix = { + ipv4 = mkOption { + type = types.str; + description = "IPv4 prefix for wireguard address room"; + }; + }; + }; + }); + }; }; config = let cfg = config.elss; - hostname = cfg.hostName; + hostName = config.system.name; secrets = ../machines - + builtins.toPath "/${hostName}/secrets/wireguard.yaml"; + + builtins.toPath "/${hostName}/secrets/wireguard.yaml"; + mkRemoveEmpty = lib.filter (interface: interface != ""); + mkInterfaces = input: mkRemoveEmpty + ((expr: + lib.mapAttrsToList + (interface: value: if (expr interface value) then interface else "") + cfg.wireguard.interfaces) + input); + mkPeerInterface = mkInterfaces (interface: value: builtins.hasAttr hostName value.peers); + mkServInterface = mkInterfaces (interface: value: builtins.hasAttr hostName value.servers); + interfaces = mkServInterface ++ mkPeerInterface; + + mkInterfacename = interface: "wg-${interface}"; + mkInterfaceSops = interface: { + "wireguard-${interface}" = { sopsFile = secrets; }; + }; in - mkIf cfg.wireguard.enable { }; + mkIf cfg.wireguard.enable { + sops.secrets = lib.mkMerge (map mkInterfaceSops interfaces); + }; } diff --git a/secrets/networks.yaml b/secrets/networks.yaml new file mode 100644 index 0000000..01038ee --- /dev/null +++ b/secrets/networks.yaml @@ -0,0 +1,74 @@ +test: ENC[AES256_GCM,data:fQRavA/TeWqaDijLXv/YnOcu/UGwYSs+oNEzZnUn8w==,iv:6FnmmdSSpI2aOh7sj8z8q6Oje0FZI9qYVzrR+wbSUcw=,tag:dTsWAAdLc6YnznQBhcD0/w==,type:str] +tartaros: ENC[AES256_GCM,data:cOVJ9w==,iv:u2YZ7T1l9HzZvDvI6P3+K1EoUmHovBzuzHipAn5CFH8=,tag:WtrbBLWbaSMnu9Dewns+Cw==,type:str] +eduroam: ENC[AES256_GCM,data:OnicOA==,iv:Pob0QSsXMiQ10sJo7V6AbAW29Xl9EG9lNiCS0mQ7Zik=,tag:CbkTJFsFikhTGP+IuBjgUw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-07-19T10:29:10Z" + mac: ENC[AES256_GCM,data:/lUc2tnmIpLvjBjABvSdwjxZWmu2FRY5Uf16eOEnMD0za06gMys48VejlqHuuO8YSAuCahpp+lj5/Vnzah7k+m7kUExrGHvLHCDLGh2w0cHqCGkx3+M0S7Xm9sP2KFZoSrB2EJ1EJFpfRa7VZhV/LGUk+e5V4pzf4VvWEqn6YRY=,iv:fzJ5CoOyUI+q+N7w1yBgM2Ye9Jh1YDYasYT+LvozkHY=,tag:pJiXiu15gcZgM7SsPrTZvA==,type:str] + pgp: + - created_at: "2022-07-19T10:12:50Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzhsLR+kpSPjARAAikLYpsLF6GZsqOjL9ycfuClIGMazi94n+RAJmzeM22Xx + rKdkddVysoi4a8Ksh/4VbJTI78yLJccNfsU/8acbCvEkCZZQtToHxGj/lS2/OFrx + TJqATUTENfcaRqFrPOfmVzmSNhfL2W/v7v1g0umi8gdVXCzGY1gj2Qsj7kHkWGOB + UdN8DVonMtSVaAlUGmKizzPLglnlrVfmTfxw5KXxKUwSb3LKGdT5f83X0FIWLNV6 + 4LMExTf0WvXnw5DvuAlWmGjI8sm/pmp/QSpWRLTbermgTgeKn6aNdNtHRTZC0Zl5 + 3hjjNrnT8UbiUznHz3EoJIPPWctH4H5TnKLGaWHKZwd0C5kPIgg2iC615M2FBgtU + 4Ap2URnK6QwVMqQXO4wsAAksoqLJ0NtVGfA9H7AZDQpu8RR0D1L4yBotgDCjzAIU + J32y/twMt4Yo1xzgeBz2PQKCv/rp70EvQnVW66IChNyaAu57eRW0THJr+GC94+po + 9a7HkfktUb3UGjEXqDG8bBKABYWXx2GYg3uCPSLvmmLTqoYcN8HwGp1HX2pp/qez + 5pezOf4wzLVvnjUvlyWEIwrlc2xh+QHZGRCEgALb4hw0s2uxVxdGHtgdm+fPPJdF + 96UL16i86+0TEwvDpfEhSHBhdJREiNtKpnfRkJz/5df8lNiDwjVpuHKOuGUTSQnS + XgGjNGAouXnM+diVgGdaOkUGQU2cFFKDwWxd7wvyVDO5foi6eEhs31AoEyRhAi2x + ARBCJ5T9n8i+/uxIHO9Q37vl/4pyTZQkGbyS1jHMpWLG+XzubRSHKtGGYt8CrF4= + =25Yf + -----END PGP MESSAGE----- + fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA + - created_at: "2022-07-19T10:12:50Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA1NKtoXYguTKAQ/9H51xlmZ69anfiiqUcfYJDKgdXPCpjQHIF0xNB/GBLSMq + cgCq6ZOZQc65nEVAyNWfWZyuGoibIlh6BFgiA/Sbuo6RViE4TRZ123o7goXeD/IB + QQ/gETZI69KOJKDaVKKF41nitJ05b4jk1r7NAj/o7ALpIirqB3xT67rvpME77cA9 + BqHvhXz0wBp2JYjozTPOBTN6OulK06vzI8m6f68Tnt1i8Qkt/nxyI+6PI+ULJvE1 + kArHzLy0JduzRG5DjG8pZm6WyhwMWaN2qm/WYRFou1QQiuJlZfyGB4o5LfyMgY28 + 0hbbBMvP0Ugoo/ePtNauvrFSoYLZiISyGwk2ONEGj+cN/0Ha7uttSQX0ij3yubR7 + 6HkplkaxstUAlja9jX0aRP8u0XumENBE9FkLIi0gOTMx4RnnGYuTXExkO4C8keWA + ygF+j8o5oqojB9oGRN3Wa8WEb9WZhGTMhRnwnWuqL8JmLIBwEfGgI33oXB5OwNXe + v2ksrOfiHRwJ71QZeyeyMR8pMDDfTIujEjMpLxRWwkmq923GXON30jYBst7gX918 + 666ru61jBIq8tyNcpJmcFwak7pAzycG7dRzbNrLM7FQ+n6rSRSsSgWPzfo/PD31A + FByTyhDcMGwz/5c8uwFfnaYLS+MzaZu2H4eU2M2/0j6d5dxcx0+CxirNwD6sRinS + WAGikPnxIkIFHT9+BgoI7ctDdc1U2NABes8CyCOVhSPYSelbm9CaD/cu4H48QNVA + GFHxe4sXb43YIKlrUHKQmAju4CtN5EmFT+/I7m3P/6KFWURRTliWYCg= + =NaZS + -----END PGP MESSAGE----- + fp: e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca + - created_at: "2022-07-19T10:12:50Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8COMi97/ZKxAQ//ZPIPKWnTlThJG64iryrjc7/mWmH5W5TSr6w5Ar+eiy5Q + ZjQ9l1jM9UAayHHkag5gjYbkYdePmBpZarpEzgSuIXWOOjeexh4YUGv0WDgi5v2d + wrNzjh16EK4Vl8KiVLmKUodKIHbvpGeBgHsoYDRXo1NmCYN9z3xtRsIbRqPfAkgN + 6X0Yz6rtEWM6t1SBQSPQzB3VzFUMFEJWnI6no5U+nbrHDAxowCxShZfqgtamEIom + QDsSU7L4NE6Kw6Fp7PcWskn5fcoyyX22g9jVlDPltkIS/HpQ4ur3qk8JBXggXZwv + mXVENZSWK3VeWqceOtryycczg/wCJ+7cIVX/M/jAZpVou6smjUy7ALoXWXYFPEl6 + QKyz3jCIWxSEwqH82hnpVePW9fArVmXMsBEUuXepH3wR437ixy6Ry1/VJrCipbqK + xeFLUFNEyRh91f/15SK8D4vEFhCWT7qHw1iB8pxF4R17DCHiXYM4uR6AZsIYTz6R + u/sKP+P5wR3Rzm3uRvdz7Po+nqjaR/7U3+rJ9Rvx912Nhyhd/P/s6rEz93ABI2CT + JSVdqtKICPc3aP+W1N+RoPDjX0FcVstea4Rz/F4DakL4rMlVecj9KLdpHUKpSa8m + S/tTGzqUSSFVWUYpuYzw4X0BmXQZXQqcAZ2faupdzlKNHbtBBy522DYPr+K7KxnS + WAFpt5Q8S9sM+LvTzBFQmv5JeZEqKBykofrGOmGv/TC911KQrBXxumCyo1A6KdYq + JStGyTNHnwNDLckx+bC57ztfKrlwMwYygoIuIc1Kk0AvTsip3REquJ8= + =3sPu + -----END PGP MESSAGE----- + fp: 9b6a58764eddd81d07180d6dc08e322f7bfd92b1 + unencrypted_suffix: _unencrypted + version: 3.7.3