[malobeo/vpn] use wg-quick instead wireguard

this is compatible with systemd network (also in the future)
[modules] fix microvm.host 'leak'
2024-12-19 15:23:46 +01:00 · 2024-12-19 15:21:58 +01:00
5 changed files with 36 additions and 32 deletions
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -137,7 +137,7 @@ in
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
-      self.nixosModules.malobeo
+      self.nixosModules.malobeo.vpn
      ./vpn/configuration.nix
    ];
  };
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    ips = [ "10.100.0.1/24" ];
+    address = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -10,15 +10,15 @@

  "fanny" = {
    role = "client";
-    ips = [ "10.100.0.2/24" ];
+    address = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF8H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };

  "test" = {
    role = "client";
-    ips = [ "10.100.0.3/24" ];
+    address = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF7H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };
 }
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -16,7 +16,7 @@ let
  ) peerList;
  filteredPeerlist = map (host: builtins.removeAttrs host [ 
    "role" 
-    "ips" 
+    "address" 
    "listenPort" 
    "publicIp" 
  ] ) peerListWithEndpoint;
@@ -38,7 +38,7 @@ in
        '';
      };

-      privateKey = mkOption {
+      privateKeyFile = mkOption {
        default = "";
        type = types.str;
        description = ''
@@ -48,43 +48,44 @@ in
    };
  };

-  imports = [
-    inputs.microvm.nixosModules.host
-  ];
-
  config = mkIf cfg.enable { 
    assertions = [
-      #{
-      #  assertion = !(myPeer != "client" && cfg.role != "server");
-      #  message = ''
-      #    VPN Role must be either client or server, nothing else!
-      #  '';
-      #}
+      {
+        assertion = !(myPeer.role != "client" && myPeer.role != "server");
+        message = ''
+          VPN Role must be either client or server, nothing else!
+        '';
+      }
    ];

-    networking.wireguard = {
-      enable = true;
+    networking.wg-quick = {
      interfaces = {
        malovpn = {
-          ips = myPeer.ips;
+          address = myPeer.address;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;

          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
-          postSetup = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          postUp = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';

          # This undoes the above command
-          postShutdown = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          postDown = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';

-          privateKey = cfg.privateKey;
+          privateKeyFile = cfg.privateKeyFile;

          peers = filteredPeerlist;
        };
      };
    };
+
+    #networking.nat = mkIf (myPeer.role == "server"){
+    #  enable = true;
+    #  internalInterfaces = [ "microvm" ];
+    #  externalInterface = "eth0"; #change to your interface name
+    #};
  };
 }
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -21,7 +21,7 @@ with lib;
  services.malobeo.vpn = {
    enable = true;
    name = "vpn";
-    privateKey = config.sops.secrets.wg_private.path;
+    privateKeyFile = config.sops.secrets.wg_private.path;
  };

  system.stateVersion = "22.11"; # Did you read the comment?
--- a/outputs.nix
+++ b/outputs.nix
@@ -112,11 +112,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      self = self;
    });

-    nixosModules.malobeo.imports = [
-      ./machines/durruti/host_config.nix
-      ./machines/modules/malobeo/microvm_host.nix
-      ./machines/modules/malobeo/wireguard.nix
-    ];
+    nixosModules.malobeo = {
+      imports = [
+        ./machines/durruti/host_config.nix
+      ];
+
+      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
+      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
+    };

    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
Author	SHA1	Message	Date
kalipso	0d6df1d0ce	[malobeo/vpn] use wg-quick instead wireguard All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 9m22s Details this is compatible with systemd network (also in the future)	2024-12-19 15:23:46 +01:00
kalipso	6e4e35fcdf	[modules] fix microvm.host 'leak' including the malobeo module caused microvm to include microvm.host which caused super annoying trouble and 2 days of debugging because microvm.host.enable defaults to true...	2024-12-19 15:21:58 +01:00