From e98394d75786e6fb67f7ef8bcf3b1346343c60a0 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 6 Nov 2025 16:35:10 -0600 Subject: [PATCH] chore: moved wireguard config --- example.nix | 265 ++++++++++++++++++ modules/config/instances/config/forgejo.nix | 2 +- modules/nixos/default.nix | 3 +- modules/nixos/services/acme/default.nix | 11 + modules/nixos/services/caddy/default.nix | 11 + modules/nixos/services/forgejo/default.nix | 12 +- modules/nixos/services/ollama/default.nix | 11 + modules/nixos/services/postgresql/default.nix | 11 + modules/nixos/services/samba/default.nix | 11 + modules/nixos/services/wireguard/default.nix | 63 +---- systems/ceres/config/bridge.nix | 71 +++++ systems/ceres/config/networking.nix | 15 +- .../ceres/config/wireguard.nix | 14 - 13 files changed, 412 insertions(+), 88 deletions(-) create mode 100755 example.nix create mode 100755 modules/nixos/services/acme/default.nix create mode 100755 modules/nixos/services/caddy/default.nix create mode 100755 modules/nixos/services/ollama/default.nix create mode 100755 modules/nixos/services/postgresql/default.nix create mode 100755 modules/nixos/services/samba/default.nix create mode 100755 systems/ceres/config/bridge.nix rename modules/nixos/services/wireguard/wireguardCeres/default.nix => systems/ceres/config/wireguard.nix (86%) diff --git a/example.nix b/example.nix new file mode 100755 index 0000000..f04cc7a --- /dev/null +++ b/example.nix @@ -0,0 +1,265 @@ +# This is someone else's network config, however they use VLANs. I am not using VLANs. I'm just connecting my microVMs to the general LAN for now. + +{ + enable = true; + netdevs = { + "vlan-mgmt" = { + netdevConfig = { + Name = "vlan-mgmt"; + Kind = "vlan"; + }; + vlanConfig.Id = 50; + }; + "br-mgmt" = { + netdevConfig = { + Name = "br-mgmt"; + Kind = "bridge"; + }; + }; + + "vlan-minio" = { + netdevConfig = { + Name = "vlan-minio"; + Kind = "vlan"; + }; + vlanConfig.Id = 51; + }; + "br-minio" = { + netdevConfig = { + Name = "br-minio"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + + "vlan-forgejo" = { + netdevConfig = { + Name = "vlan-forgejo"; + Kind = "vlan"; + }; + vlanConfig.Id = 52; + }; + "br-forgejo" = { + netdevConfig = { + Name = "br-forgejo"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + + "vlan-nexus" = { + netdevConfig = { + Name = "vlan-nexus"; + Kind = "vlan"; + }; + vlanConfig.Id = 53; + }; + "br-nexus" = { + netdevConfig = { + Name = "br-nexus"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + + "vlan-cloud" = { + netdevConfig = { + Name = "vlan-cloud"; + Kind = "vlan"; + }; + vlanConfig.Id = 54; + }; + "br-cloud" = { + netdevConfig = { + Name = "br-cloud"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + + "vlan-caddy" = { + netdevConfig = { + Name = "vlan-caddy"; + Kind = "vlan"; + }; + vlanConfig.Id = 55; + }; + "br-caddy" = { + netdevConfig = { + Name = "br-caddy"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + + "vlan-website" = { + netdevConfig = { + Name = "vlan-website"; + Kind = "vlan"; + }; + vlanConfig.Id = 56; + }; + "br-website" = { + netdevConfig = { + Name = "br-website"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = true; + }; + }; + }; + + networks = { + "trunk-nic" = { + matchConfig.Name = "enp3s0f0"; + vlan = [ + "vlan-mgmt" + "vlan-minio" + "vlan-forgejo" + "vlan-nexus" + "vlan-cloud" + "vlan-caddy" + "vlan-website" + ]; + }; + + "vlan-mgmt-net" = { + matchConfig.Name = "vlan-mgmt"; + bridge = [ "br-mgmt" ]; + }; + "host-on-mgmt" = { + matchConfig.Name = "br-mgmt"; + networkConfig = { + Address = [ "10.0.50.2/24" ]; + Gateway = "10.0.50.1"; + DNS = [ "10.0.50.1" ]; + }; + }; + + "vlan-minio-net" = { + matchConfig.Name = "vlan-minio"; + bridge = [ "br-minio" ]; + }; + "host-on-minio" = { + matchConfig.Name = "br-minio"; + }; + + "vlan-forgejo-net" = { + matchConfig.Name = "vlan-forgejo"; + bridge = [ "br-forgejo" ]; + }; + "host-on-forgejo" = { + matchConfig.Name = "br-forgejo"; + }; + + "vlan-nexus-net" = { + matchConfig.Name = "vlan-nexus"; + bridge = [ "br-nexus" ]; + }; + "host-on-nexus" = { + matchConfig.Name = "br-nexus"; + }; + + "vlan-cloud-net" = { + matchConfig.Name = "vlan-cloud"; + bridge = [ "br-cloud" ]; + }; + "host-on-cloud" = { + matchConfig.Name = "br-cloud"; + }; + + "vlan-caddy-net" = { + matchConfig.Name = "vlan-caddy"; + bridge = [ "br-caddy" ]; + }; + "host-on-caddy" = { + matchConfig.Name = "br-caddy"; + }; + + "vlan-website-net" = { + matchConfig.Name = "vlan-website"; + bridge = [ "br-website" ]; + }; + "host-on-website" = { + matchConfig.Name = "br-website"; + }; + + "vm-taps-minio" = { + matchConfig = { + Name = "vm-minio"; + }; + networkConfig = { + Description = "minio VM tap interface"; + Bridge = "br-minio"; + ConfigureWithoutCarrier = true; + }; + }; + + "vm-taps-forgejo" = { + matchConfig = { + Name = "vm-forgejo"; + }; + networkConfig = { + Description = "forgejo VM tap interface"; + Bridge = "br-forgejo"; + ConfigureWithoutCarrier = true; + }; + }; + + # VM tap interfaces for Nexus + "vm-taps-nexus" = { + matchConfig = { + Name = "vm-nexus"; + }; + networkConfig = { + Description = "nexus VM tap interface"; + Bridge = "br-nexus"; + ConfigureWithoutCarrier = true; + }; + }; + + "vm-taps-cloud" = { + matchConfig = { + Name = "vm-cloud"; + }; + networkConfig = { + Description = "cloud VM tap interface"; + Bridge = "br-cloud"; + ConfigureWithoutCarrier = true; + }; + }; + + "vm-taps-caddy" = { + matchConfig = { + Name = "vm-caddy"; + }; + networkConfig = { + Description = "caddy VM tap interface"; + Bridge = "br-caddy"; + ConfigureWithoutCarrier = true; + }; + }; + + "vm-taps-website" = { + matchConfig = { + Name = "vm-website"; + }; + networkConfig = { + Description = "website VM tap interface"; + Bridge = "br-website"; + ConfigureWithoutCarrier = true; + }; + }; + }; +} diff --git a/modules/config/instances/config/forgejo.nix b/modules/config/instances/config/forgejo.nix index fcc11d0..531fa2a 100755 --- a/modules/config/instances/config/forgejo.nix +++ b/modules/config/instances/config/forgejo.nix @@ -38,7 +38,7 @@ in interface = { id = "vm-${name}"; mac = "02:00:00:00:00:50"; - idUser = "vm-${name}"; + idUser = "vm-${name}-user"; macUser = "02:00:00:00:00:02"; ip = "192.168.50.50"; gate = "192.168.50.2"; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 824f3e4..6ba290d 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -15,7 +15,7 @@ in plymouth sddm searx - wireGuard + wireguard ; }; }; @@ -67,6 +67,7 @@ in # vaultwarden # website # zookeeper + wireguard ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/services/acme/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/services/caddy/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index 80ec0e0..c26f677 100755 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -123,14 +123,20 @@ in enable = true; networks."10-enp" = { matchConfig.Name = "enp0s4"; + + # Option 1: Static IP (recommended if you need consistent IP for reverse proxy) addresses = [ { Address = "${service.interface.ip}/24"; } ]; routes = [ { - Destination = "${localhost}/0"; - Gateway = service.interface.gate; + Destination = "0.0.0.0/0"; + Gateway = "192.168.50.1"; # Your LAN gateway - adjust if different } ]; - dns = [ service.interface.gate ]; + dns = [ "192.168.50.1" ]; # Your LAN DNS - adjust if different + + # Option 2: DHCP (uncomment below and comment out above if preferred) + # Note: You'll need to update the Caddy reverse_proxy IP or use hostname + # networkConfig.DHCP = "yes"; }; }; }; diff --git a/modules/nixos/services/ollama/default.nix b/modules/nixos/services/ollama/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/services/ollama/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/services/postgresql/default.nix b/modules/nixos/services/postgresql/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/services/postgresql/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/services/samba/default.nix b/modules/nixos/services/samba/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/services/samba/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix index 3fd8423..6408a95 100755 --- a/modules/nixos/services/wireguard/default.nix +++ b/modules/nixos/services/wireguard/default.nix @@ -1,59 +1,13 @@ -{ config, flake, ... }: +{ flake, ... }: let inherit (flake.config.services) instances; inherit (flake.config.machines.devices) ceres; service = instances.wireGuard; - wireGuardInterface = - { - secret, - publicKey, - endpoint, - }: - { - name = "Proton-${secret}"; - value = { - autostart = false; - address = [ "10.2.0.2/32" ]; - dns = [ "10.2.0.1" ]; - privateKeyFile = config.sops.secrets."${service.name}-${secret}".path; - peers = [ - { - inherit publicKey endpoint; - allowedIPs = [ "0.0.0.0/0,::/0" ]; - persistentKeepalive = 25; - } - ]; - }; - }; - interfaces = [ - { - secret = "CA363"; - publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw="; - endpoint = "149.88.97.110:51820"; - } - { - secret = "CA220"; - publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8="; - endpoint = "139.28.218.130:51820"; - } - { - secret = "CA358"; - publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw="; - endpoint = "149.88.97.110:51820"; - } - { - secret = "CA627"; - publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k="; - endpoint = "139.28.218.130:51820"; - } - ]; in { networking = { hosts = { ${ceres.wireguard.ip0} = [ - instances.searx.domains.url0 - instances.glance.domains.url0 ]; }; wireguard.interfaces = { @@ -72,19 +26,4 @@ in }; }; }; - - sops.secrets = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = "root"; - mode = "600"; - }; - in - builtins.listToAttrs ( - (map (interface: { - name = "${service.name}-${interface.secret}"; - value = sopsPath interface.secret; - }) interfaces) - ); } diff --git a/systems/ceres/config/bridge.nix b/systems/ceres/config/bridge.nix new file mode 100755 index 0000000..17f6b59 --- /dev/null +++ b/systems/ceres/config/bridge.nix @@ -0,0 +1,71 @@ +{ + lib, + ... +}: +{ + # Enable systemd-networkd for bridge management + systemd.network = { + enable = true; + + netdevs = { + "20-br-vms" = { + netdevConfig = { + Name = "br-vms"; + Kind = "bridge"; + }; + bridgeConfig = { + STP = false; + }; + }; + }; + + networks = { + # Connect physical interface to bridge + "30-enp10s0" = { + matchConfig.Name = "enp10s0"; + networkConfig = { + Bridge = "br-vms"; + ConfigureWithoutCarrier = true; + }; + linkConfig = { + RequiredForOnline = false; + }; + }; + + # Configure bridge to get IP from LAN DHCP + "40-br-vms" = { + matchConfig.Name = "br-vms"; + networkConfig = { + DHCP = "ipv4"; + }; + linkConfig = { + RequiredForOnline = "routable"; + }; + }; + + # VM tap interface to bridge + "50-vm-forgejo" = { + matchConfig.Name = "vm-forgejo"; + networkConfig = { + Bridge = "br-vms"; + ConfigureWithoutCarrier = true; + }; + linkConfig = { + RequiredForOnline = false; + }; + }; + }; + }; + + # Tell NetworkManager to ignore bridge and VM interfaces + networking.networkmanager.unmanaged = [ + "interface-name:br-vms" + "interface-name:vm-*" + "interface-name:enp10s0" + ]; + + # IP forwarding (needed for both bridge networking and WireGuard NAT) + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; +} diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix index 5bf0916..b3a13a0 100755 --- a/systems/ceres/config/networking.nix +++ b/systems/ceres/config/networking.nix @@ -5,17 +5,13 @@ }: let inherit (flake.config.machines.devices) ceres; + inherit (flake.config.services) instances; + wireguardService = instances.wireGuard; in { networking = { hostName = ceres.name; - networkmanager = { - enable = true; - unmanaged = [ - "interface-name:br-vms" - "interface-name:vm-*" - ]; - }; + networkmanager.enable = true; nftables.enable = true; useDHCP = lib.mkDefault true; firewall = { @@ -27,6 +23,11 @@ in 587 # SMTP 2525 # SMTP 9999 # NC + wireguardService.ports.port0 # WireGuard + ]; + allowedUDPPorts = [ + wireguardService.ports.port0 # WireGuard + wireguardService.ports.port1 # WireGuard ]; }; }; diff --git a/modules/nixos/services/wireguard/wireguardCeres/default.nix b/systems/ceres/config/wireguard.nix similarity index 86% rename from modules/nixos/services/wireguard/wireguardCeres/default.nix rename to systems/ceres/config/wireguard.nix index cfb49c7..19d717d 100644 --- a/modules/nixos/services/wireguard/wireguardCeres/default.nix +++ b/systems/ceres/config/wireguard.nix @@ -6,16 +6,6 @@ let in { networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - ]; - allowedUDPPorts = [ - service.ports.port0 - service.ports.port1 - ]; - }; - nat = { enable = true; enableIPv6 = true; @@ -69,8 +59,4 @@ in ] ); }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - }; }