add ipv6 support, net module and wireguard vpn

2025-01-25 00:10:50 -06:00 · 2025-01-25 00:10:50 -06:00 · 4a7bda944f
commit 4a7bda944f
parent 63a190bc7c
5 changed files with 328 additions and 4 deletions
--- a/sys/platforms/vps/default.nix
+++ b/sys/platforms/vps/default.nix
@ -13,6 +13,7 @@ with lib; {
    flakes.impermanence.nixosModule
    ./hardware-configuration.nix
    ./srv
+    ./networkMap.nix
  ];

  local.sys = {
@ -50,9 +51,67 @@ with lib; {
    };
  };

-  systemd.extraConfig = ''
-    DefaultTimeoutStartSec=900s
-  '';
+  networking.firewall.allowedUDPPorts = [51820]; #TODO
+
+  systemd = {
+    extraConfig = ''
+      DefaultTimeoutStartSec=900s
+    '';
+
+    network = let
+      inherit (config.local.sys) nets;
+    in {
+      enable = true;
+
+      netdevs = {
+        wg-vpn = {
+          netdevConfig = {
+            Name = "wg-vpn";
+            Kind = "wireguard";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
+            ListenPort = "51820";
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
+              AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
+            }
+            {
+              PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
+              PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
+              AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
+            }
+          ];
+        };
+      };
+
+      networks = {
+        wg-vpn = {
+          name = "wg-vpn";
+
+          networkConfig = {
+            Address = [
+              nets.vpn-vps.hosts.vps.v6.cidr
+            ];
+          };
+
+          routes = [
+            {
+              Destination = nets.vpn.v6.cidr;
+            }
+            {
+              Source = nets.vpn.v6.cidr;
+            }
+          ];
+        };
+      };
+    };
+  };

  time.timeZone = "Europe/Amsterdam";
 }
--- a/sys/platforms/vps/networkMap.nix
+++ b/sys/platforms/vps/networkMap.nix
@ -0,0 +1,78 @@
+{
+  config,
+  pkgs,
+  lib,
+  flakes,
+  ...
+}:
+with lib; {
+  local.sys.nets = {
+    default = {
+      v4 = {
+        bits = 32;
+        prefix = "37.205.12.34";
+      };
+
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:fe:102";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+        vps.v4.suffix = "";
+      };
+    };
+
+    vpn = {
+      v6 = {
+        bits = 48;
+        prefix = "2a03:3b40:2b";
+      };
+    };
+
+    vpn-vps = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1000";
+      };
+
+      hosts = {
+        vps.v6.suffix = "1";
+      };
+    };
+
+    vpn-posixlycorrect = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1001";
+      };
+
+      hosts = {
+        posixlycorrect.v6.suffix = "1";
+      };
+    };
+
+    vpn-pixel8 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1002";
+      };
+
+      hosts = {
+        pixel8.v6.suffix = "1";
+      };
+    };
+
+    vpn-t14 = {
+      v6 = {
+        bits = 64;
+        prefix = "2a03:3b40:2b:1003";
+      };
+
+      hosts = {
+        t14.v6.suffix = "1";
+      };
+    };
+  };
+}
--- a/sys/platforms/vps/srv/net.nix
+++ b/sys/platforms/vps/srv/net.nix
@ -5,7 +5,7 @@
 }:
 with lib; {
  networking = {
-    nftables.enable = true;
+    nftables.enable = false; # learn how to use this later
    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];