From b0aa82e7d0713394de49275cdbd84b169b2c0e52 Mon Sep 17 00:00:00 2001 From: Noah Masur <7386960+nmasur@users.noreply.github.com> Date: Mon, 10 Oct 2022 03:13:16 +0000 Subject: [PATCH] refactor wireguard and add port forwarding --- hosts/oracle/default.nix | 35 ++++++++- modules/services/transmission.nix | 14 ++-- modules/services/wireguard.nix | 114 ++++++++++++++---------------- 3 files changed, 95 insertions(+), 68 deletions(-) diff --git a/hosts/oracle/default.nix b/hosts/oracle/default.nix index fb22aa8..5b1f3ba 100644 --- a/hosts/oracle/default.nix +++ b/hosts/oracle/default.nix @@ -27,15 +27,46 @@ nixpkgs.lib.nixosSystem { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"; - # Backup config + # Nextcloud backup config backupS3 = { endpoint = "s3.us-west-002.backblazeb2.com"; bucket = "noahmasur-backup"; accessKeyId = "0026b0e73b2e2c80000000004"; }; - # Grant access to Jellyfin directories from nextcloud + # Grant access to Jellyfin directories from Nextcloud users.users.nextcloud.extraGroups = [ "jellyfin" ]; + + # Wireguard config for Transmission + networking.wireguard.interfaces.wg0 = { + + # The local IPs for this machine within the Wireguard network + # Any inbound traffic bound for these IPs should be kept on localhost + ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ]; + + peers = [{ + + # Identity of Wireguard target peer (VPN) + publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY="; + + # The public internet address of the target peer + endpoint = "86.106.143.132:51820"; + + # Which outgoing IP ranges should be sent through Wireguard + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + + # Send heartbeat signal within the network + persistentKeepalive = 25; + + }]; + + }; + + # VPN port forwarding + services.transmission.settings.peer-port = 57599; + + # Grant access to Transmission directories from Jellyfin + users.users.jellyfin.extraGroups = [ "transmission" ]; } ./hardware-configuration.nix ../common.nix diff --git a/modules/services/transmission.nix b/modules/services/transmission.nix index 2defc89..00bcfec 100644 --- a/modules/services/transmission.nix +++ b/modules/services/transmission.nix @@ -13,7 +13,9 @@ in { }; }; - config = { + config = let + namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace; + in { # Setup transmission services.transmission = { @@ -33,11 +35,11 @@ in { # Bind transmission to wireguard namespace systemd.services.transmission = { - bindsTo = [ "netns@wg.service" ]; + bindsTo = [ "netns@${namespace}.service" ]; requires = [ "network-online.target" ]; after = [ "wireguard-wg0.service" ]; - unitConfig.JoinsNamespaceOf = "netns@wg.service"; - serviceConfig.NetworkNamespacePath = "/var/run/netns/wg"; + unitConfig.JoinsNamespaceOf = "netns@${namespace}.service"; + serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}"; }; # Create reverse proxy for web UI @@ -60,8 +62,8 @@ in { }; wantedBy = [ "multi-user.target" ]; script = '' - ${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up - ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork + ${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up + ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork ''; }; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 40fb6e7..96bb196 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -1,77 +1,71 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { -let privateKeyFile = "/private/wireguard/wg0"; + options.networking.wireguard = { -in { + encryptedPrivateKey = lib.mkOption { + type = lib.types.path; + description = "Nix path to age-encrypted client private key"; + default = ../../private/wireguard.age; + }; - networking.wireguard = { - enable = true; - interfaces = { - wg0 = { + }; - # The local IPs for this machine within the Wireguard network - # Any inbound traffic bound for these IPs should be kept on localhost - ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ]; + config = { - # Establishes identity of this machine - generatePrivateKeyFile = false; - privateKeyFile = privateKeyFile; + networking.wireguard = { + enable = true; + interfaces = { + wg0 = { - peers = [{ + # Establishes identity of this machine + generatePrivateKeyFile = false; + privateKeyFile = "/private/wireguard/wg0"; - # Identity of Wireguard target peer (VPN) - publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY="; - - # Which outgoing IP ranges should be sent through Wireguard - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - - # The public internet address of the target peer - endpoint = "86.106.143.132:51820"; - - # Send heartbeat signal within the network - persistentKeepalive = 25; - - }]; - - # Move to network namespace for isolating programs - interfaceNamespace = "wg"; + # Move to network namespace for isolating programs + interfaceNamespace = "wg"; + }; }; }; - }; - # Create namespace for Wireguard - # This allows us to isolate specific programs to Wireguard - systemd.services."netns@" = { - description = "%I network namespace"; - before = [ "network.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; - ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; + # Create namespace for Wireguard + # This allows us to isolate specific programs to Wireguard + systemd.services."netns@" = { + description = "%I network namespace"; + before = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; + ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; + }; }; - }; - # Create private key file for wireguard - systemd.services.wireguard-private-key = { - wantedBy = [ "wireguard-wg0.service" ]; - requiredBy = [ "wireguard-wg0.service" ]; - before = [ "wireguard-wg0.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; + # Create private key file for wireguard + systemd.services.wireguard-private-key = { + wantedBy = [ "wireguard-wg0.service" ]; + requiredBy = [ "wireguard-wg0.service" ]; + before = [ "wireguard-wg0.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = let + encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey; + privateKeyFile = + config.networking.wireguard.interfaces.wg0.privateKeyFile; + in '' + mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile} + if [ ! -f "${privateKeyFile}" ]; then + ${pkgs.age}/bin/age --decrypt \ + --identity ${config.identityFile} \ + --output ${privateKeyFile} \ + ${builtins.toString encryptedPrivateKey} + chmod 0700 ${privateKeyFile} + fi + ''; }; - script = '' - mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile} - if [ ! -f "${privateKeyFile}" ]; then - ${pkgs.age}/bin/age --decrypt \ - --identity ${config.identityFile} \ - --output ${privateKeyFile} \ - ${builtins.toString ../../private/wireguard.age} - chmod 0700 ${privateKeyFile} - fi - ''; + }; }