From 648bf43f76100d160fc0933bf851a66e8f2902e6 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Mon, 13 Oct 2025 18:56:59 +0200 Subject: [PATCH] Fix selene --- keys/secrets.nix | 2 + keys/wg-macbook | 7 +++ keys/wg-macbook.pub | 1 + keys/wg-selene | 11 ++++ keys/wg-selene.pub | 1 + modules/servermodules/jellyfin/jellyfin.nix | 2 +- modules/servermodules/nginx.nix | 4 +- modules/servermodules/packages.nix | 4 +- .../wireguard/wireguard-server.nix | 58 +++++++++++++++++++ modules/usermodules/darwinsettings.nix | 2 +- systems/macbook/macbook.nix | 3 +- systems/macbook/wireguard.nix | 42 ++++++++++++++ systems/selene/basesettings.nix | 2 +- systems/selene/system.nix | 15 +++-- systems/selene/users.nix | 2 +- 15 files changed, 142 insertions(+), 14 deletions(-) create mode 100644 keys/wg-macbook create mode 100644 keys/wg-macbook.pub create mode 100644 keys/wg-selene create mode 100644 keys/wg-selene.pub create mode 100644 modules/servermodules/wireguard/wireguard-server.nix create mode 100644 systems/macbook/wireguard.nix diff --git a/keys/secrets.nix b/keys/secrets.nix index ad697ad..3434403 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -8,4 +8,6 @@ in "google-storage-key".publicKeys = selene; "macbook.priv".publicKeys = macbook ++ master; "master.priv".publicKeys = macbook ++ master; + "wg-selene".publicKeys = macbook ++ selene ++ master; + "wg-macbook".publicKeys = macbook ++ master; } \ No newline at end of file diff --git a/keys/wg-macbook b/keys/wg-macbook new file mode 100644 index 0000000..1342b37 --- /dev/null +++ b/keys/wg-macbook @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg PyrVB10SxQZdhrwusKh+m6944Nj5vqBL6qGum8qK4Qg +huIr2n2ciTqu11o6ApcCoVMstQ9b3XoRfgAtU79wdnY +-> ssh-ed25519 CJLJQg 2O7UQVLdlMJZzt5TOo5EYpfWjKAnNLJ6OQY+xRTp2go +TonYGAfBSeUpSHl+jHSG2qO9kWseAxfog1oWeGFWc5s +--- Hh8KEiQFjdy2xYqcBX4L6XSp4GPpO29tSPrfpnZlv5o +Ó?À¤ÿ‡$‡ÜJΦŸßÑ^¦w’oÌ›Nv’ŠŽÍ*#å4„+=â·Á[ltÒQF™6Õ-Æwiy. Ú¢8¡iýýÒž'.H,a£ \ No newline at end of file diff --git a/keys/wg-macbook.pub b/keys/wg-macbook.pub new file mode 100644 index 0000000..d151aae --- /dev/null +++ b/keys/wg-macbook.pub @@ -0,0 +1 @@ +uFmbvJBptZsrzYDqpZM7SsibELaIRZIT91dr+lg4UTQ= diff --git a/keys/wg-selene b/keys/wg-selene new file mode 100644 index 0000000..908d724 --- /dev/null +++ b/keys/wg-selene @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg rtefZhzmdX3bNzHNy3nkNUUhMkzl5Jhr5aRKQeMxyG0 +j8S1T4ZJ4rPCB1hLYB0XDrQapmDeBaVhHF1egscPMSI +-> ssh-ed25519 gSqcWw zXFb2UGB5MX9l1zRtSXjRvx2jKwzi3xJ6pSheWbcKHE +0sj7aWQEU9anrtn9nNc+GZV/hmZhGhBJiY4z+92QmhE +-> ssh-ed25519 lFtjmQ F1UrJyfMoLe2WQhg2quklc/m0U6fDoHdUHb9fKwbMAk +PqhWK8b8VPvnwYOv6o8ghihW4BY2gyXWjeVoBB3Jq1c +-> ssh-ed25519 CJLJQg NI5inqne74mHhVzieDbwHe2ir7b/5JupVpJ2eHehYHs +nkcF008pNF7+57K4dCQMrayVcUWSFVQ38MwK9JPUZ90 +--- Wo0W41Xg2j6kl6atrzbtE2ogo3mY1+sTqfyvWkUsUeA + ½ÛÓEgf¡G'õÔŽ!;Âú+÷áÿÅçûm솖ã\Aè<ƒc½b_ª?϶«½µÀ›Õ­^Ík×8ŸüÚÿø€´U=tŠ‰Úæ2Kï3 \ No newline at end of file diff --git a/keys/wg-selene.pub b/keys/wg-selene.pub new file mode 100644 index 0000000..aa058e5 --- /dev/null +++ b/keys/wg-selene.pub @@ -0,0 +1 @@ +4N/84YKCDOPpXTkRxBDQOOUzKR2PXOy4/3gJbel1yE4= diff --git a/modules/servermodules/jellyfin/jellyfin.nix b/modules/servermodules/jellyfin/jellyfin.nix index f976393..15baa37 100644 --- a/modules/servermodules/jellyfin/jellyfin.nix +++ b/modules/servermodules/jellyfin/jellyfin.nix @@ -18,7 +18,7 @@ }; age.secrets.jellyfin-key = { - file = ./secrets/jellyfin-key; + file = ../../../keys/jellyfin-key; owner = "jellyfin"; }; diff --git a/modules/servermodules/nginx.nix b/modules/servermodules/nginx.nix index b114fe6..cde8030 100644 --- a/modules/servermodules/nginx.nix +++ b/modules/servermodules/nginx.nix @@ -1,4 +1,4 @@ -{ rootdomain }: +rootdomain: { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ]; services.nginx.enable = true; @@ -71,6 +71,6 @@ systemd.tmpfiles.rules = [ # Type Path Mode User Group Age Argument "d /logs/nginx 0755 nginx nginx - -" - ] + ]; } diff --git a/modules/servermodules/packages.nix b/modules/servermodules/packages.nix index 4d3f88c..d15c966 100644 --- a/modules/servermodules/packages.nix +++ b/modules/servermodules/packages.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { environment.systemPackages = [ pkgs.git @@ -8,7 +8,7 @@ pkgs.tmux ]; age.secrets.google-storage-key = { - file = ./secrets/google-storage-key; + file = ../../keys/google-storage-key; owner = "root"; }; environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path; diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix new file mode 100644 index 0000000..b1e50fc --- /dev/null +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -0,0 +1,58 @@ +{ + pkgs, + config, + ... +}: +{ + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + age.secrets.wg-selene = { + file = ../../../keys/wg-selene; + owner = "selene"; + }; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + # postSetup = '' + # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # # This undoes the above command + # postShutdown = '' + # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + + privateKeyFile = config.age.secrets.wg-selene.path; + + peers = [ + # List of allowed peers. + { # Feel free to give a meaningful name + # Public key of the peer (not a file path). + publicKey = (builtins.readFile ../../../keys/wg-macbook.pub); + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; +} \ No newline at end of file diff --git a/modules/usermodules/darwinsettings.nix b/modules/usermodules/darwinsettings.nix index 31fecd3..253c4e5 100644 --- a/modules/usermodules/darwinsettings.nix +++ b/modules/usermodules/darwinsettings.nix @@ -2,7 +2,7 @@ self: { pkgs, agenix, ... }: { # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget - environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3]; + environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3 pkgs.wireguard-tools]; # Necessary for using flakes on this system. nix.settings.experimental-features = "nix-command flakes"; diff --git a/systems/macbook/macbook.nix b/systems/macbook/macbook.nix index 97e8b97..308b3ed 100644 --- a/systems/macbook/macbook.nix +++ b/systems/macbook/macbook.nix @@ -4,7 +4,8 @@ nix-darwin.lib.darwinSystem { { system.primaryUser = "maxiemgeldhof"; } (import ../../modules/usermodules/darwinsettings.nix self) home-manager.darwinModules.home-manager - (import ./users.nix) + import ./users.nix + ./wireguard.nix agenix.darwinModules.default ]; diff --git a/systems/macbook/wireguard.nix b/systems/macbook/wireguard.nix new file mode 100644 index 0000000..0e0139c --- /dev/null +++ b/systems/macbook/wireguard.nix @@ -0,0 +1,42 @@ +{ config, ... }: +{ + age.secrets.wg-private.file = "../../keys/wg-macbook"; + services.wg-quick.interfaces.wg0 = { + # Add a name for your interface here, e.g., wg0 + enable = true; + # Path to your WireGuard config file + # e.g., /etc/wireguard/wg0.conf + + privateKeyFile = config.age.secrets.wg-private.path; + + # The internal IP address assigned to this client by the server. + # The /24 subnet mask is important for knowing the VPN's local network. + address = [ "10.100.0.2/32" ]; + + # DNS server(s) to use when the tunnel is active. + # This is critical for resolving hostnames when all traffic is routed. + dns = [ + "1.1.1.1" + "1.0.0.1" + ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 + + peers = [ + { + # Public key of the SERVER. + publicKey = builtins.readFile ../../../keys/wg-selene.pub; + + # The server's public IP address and listening port. + endpoint = "37.27.207.39:51820"; + + # This is the most important part for a "VPN" setup. + # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel. + # Add "::/0" if your server and network support IPv6. + allowedIPs = [ "10.100.0.1/24" ]; + + # Optional but highly recommended for clients behind NAT. + # It sends a packet every 25 seconds to keep the connection open. + persistentKeepalive = 25; + } + ]; + }; +} diff --git a/systems/selene/basesettings.nix b/systems/selene/basesettings.nix index 6ef1b84..448afa3 100644 --- a/systems/selene/basesettings.nix +++ b/systems/selene/basesettings.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ - ./hardware-configuration.nix + ./hardware.nix ./networking.nix # generated at runtime by nixos-infect ]; diff --git a/systems/selene/system.nix b/systems/selene/system.nix index 5479ef1..e580398 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -1,18 +1,23 @@ { agenix, jellyfin-exporter, nixpkgs, self, ... }: +let + system = "aarch64-linux"; +in nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + system = system; specialArgs = { # This selects the package for the current system and passes it - exporter-pkg = jellyfin-exporter.packages.${self.system}.default; + exporter-pkg = jellyfin-exporter.packages.${system}.default; + system = system; }; modules = [ ./basesettings.nix ./users.nix ../../modules/servermodules/packages.nix - (import ./nginx.nix "maxiemgeldhof.com") - ../../modules/servermodules/grafana.nix - ../../modules/servermodules/jellyfin.nix + (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com") + ../../modules/servermodules/grafana/grafana.nix + ../../modules/servermodules/jellyfin/jellyfin.nix + ../../modules/servermodules/wireguard/wireguard-server.nix ./volumes.nix agenix.nixosModules.default ]; diff --git a/systems/selene/users.nix b/systems/selene/users.nix index 1885a32..224c175 100644 --- a/systems/selene/users.nix +++ b/systems/selene/users.nix @@ -6,7 +6,7 @@ openssh.authorizedKeys.keys = [ (builtins.readFile ../../keys/hetzner.pub) (builtins.readFile ../../keys/asus.pub) - (builtins.readFile "../../keys/pacbook.pub") + (builtins.readFile ../../keys/macbook.pub) ]; extraGroups = [