[malobeo/vpn] use wg-quick instead wireguard

this is compatible with systemd network (also in the future)
[modules] fix microvm.host 'leak'
2024-12-19 15:23:46 +01:00 · 2024-12-19 15:21:58 +01:00
5 changed files with 36 additions and 32 deletions
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -137,7 +137,7 @@ in
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
-      self.nixosModules.malobeo
+      self.nixosModules.malobeo.vpn
      ./vpn/configuration.nix
    ];
  };
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    ips = [ "10.100.0.1/24" ];
+    address = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -10,15 +10,15 @@
  "fanny" = {
    role = "client";
-    ips = [ "10.100.0.2/24" ];
+    address = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF8H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };
  "test" = {
    role = "client";
-    ips = [ "10.100.0.3/24" ];
+    address = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF7H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };
 }
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -16,7 +16,7 @@ let
  ) peerList;
  filteredPeerlist = map (host: builtins.removeAttrs host [ 
    "role" 
-    "ips" 
+    "address" 
    "listenPort" 
    "publicIp" 
  ] ) peerListWithEndpoint;
@@ -38,7 +38,7 @@ in
        '';
      };
-      privateKey = mkOption {
+      privateKeyFile = mkOption {
        default = "";
        type = types.str;
        description = ''
@@ -48,43 +48,44 @@ in
    };
  };
  imports = [
    inputs.microvm.nixosModules.host
  ];
  config = mkIf cfg.enable { 
    assertions = [
-      #{
+      {
-      #  assertion = !(myPeer != "client" && cfg.role != "server");
+        assertion = !(myPeer.role != "client" && myPeer.role != "server");
-      #  message = ''
+        message = ''
-      #    VPN Role must be either client or server, nothing else!
+          VPN Role must be either client or server, nothing else!
-      #  '';
+        '';
-      #}
+      }
    ];
-    networking.wireguard = {
+    networking.wg-quick = {
      enable = true;
      interfaces = {
        malovpn = {
-          ips = myPeer.ips;
+          address = myPeer.address;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
-          postSetup = mkIf (myPeer.role == "server") ''
+          postUp = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';
          # This undoes the above command
-          postShutdown = mkIf (myPeer.role == "server") ''
+          postDown = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';
-          privateKey = cfg.privateKey;
+          privateKeyFile = cfg.privateKeyFile;
          peers = filteredPeerlist;
        };
      };
    };
    #networking.nat = mkIf (myPeer.role == "server"){
    #  enable = true;
    #  internalInterfaces = [ "microvm" ];
    #  externalInterface = "eth0"; #change to your interface name
    #};
  };
 }
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -21,7 +21,7 @@ with lib;
  services.malobeo.vpn = {
    enable = true;
    name = "vpn";
-    privateKey = config.sops.secrets.wg_private.path;
+    privateKeyFile = config.sops.secrets.wg_private.path;
  };
  system.stateVersion = "22.11"; # Did you read the comment?
--- a/outputs.nix
+++ b/outputs.nix
@@ -112,11 +112,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      self = self;
    });
-    nixosModules.malobeo.imports = [
+    nixosModules.malobeo = {
-      ./machines/durruti/host_config.nix
+      imports = [
-      ./machines/modules/malobeo/microvm_host.nix
+        ./machines/durruti/host_config.nix
-      ./machines/modules/malobeo/wireguard.nix
+      ];
-    ];
+
      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
      vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
    };
    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
      let
Author	SHA1	Message	Date
kalipso	0d6df1d0ce	[malobeo/vpn] use wg-quick instead wireguard All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 9m22s Details this is compatible with systemd network (also in the future)	2024-12-19 15:23:46 +01:00
kalipso	6e4e35fcdf	[modules] fix microvm.host 'leak' including the malobeo module caused microvm to include microvm.host which caused super annoying trouble and 2 days of debugging because microvm.host.enable defaults to true...	2024-12-19 15:21:58 +01:00