initial commit

2025-08-17 20:37:46 +05:30
commit f0f0229345
9 changed files with 344 additions and 0 deletions
--- a/modules/access.nix
+++ b/modules/access.nix
@@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+
+let
+  keys = [
+  ];
+
+  root.password = config.sops.secrets.password-root.path;
+in {
+
+  sops.secrets = let def = { neededForUsers = true; };
+  in {
+    "password-root" = def;
+  };
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+  };
+
+  # protect from ssh spammers
+  services.sshguard.enable = true;
+
+  # disable kernel from logging REFUSED CONNECTIONS messages when we actually drop this traffic
+  networking.firewall.logRefusedConnections = false;
+
+  # enable mosh and open firewall ports
+  programs.mosh.enable = true;
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.mutableUsers = false;
+
+  users.users.root = {
+    hashedPasswordFile = root.password;
+    openssh.authorizedKeys.keys = keys;
+  };
+
+  # users.users.<username> = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ];
+  #   hashedPasswordFile = <username.password>;
+  #   openssh.authorizedKeys.keys = <username.keys>;
+  # };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -0,0 +1 @@
+{ config, pkgs, ... }: { imports = [ ./access.nix ./network.nix ]; }
--- a/modules/network.nix
+++ b/modules/network.nix
@@ -0,0 +1,68 @@
+{ config, pkgs, ... }:
+let
+  hostname = "tunnels";
+  domain = "example.com";
+
+  resolvers = [ "9.9.9.9" "2620:fe::fe" ];
+
+  egress = {
+    interface = "eth0";
+
+    ipv4.gateway = "198.51.100.10";
+    ipv4.address = "198.51.100.1/24";
+
+    ipv6.gateway = "fe80::1";
+    ipv6.address = "2001:DB8:10:cafe:dcaf::3210/64";
+  };
+
+  tunnels = [{
+    interface = "wg0";
+    serverPort = 51820;
+    serverAddress = "2001:db8:de:ff0::1/128";
+    clientAddress = "2001:db8:de:ff0::2/128";
+    clientSubnet = "2001:db8:de:f00::/60";
+    serverPrivateKeyFile = "wg0-server-private";
+    clientPublicKeyFile = "wg0-client-public";
+  }];
+in {
+
+  networking.hostName = hostname;
+  networking.domain = domain;
+
+  # Enable systemd-networkd
+  systemd.network.enable = true;
+  networking.useNetworkd = true;
+
+  # Tools for monitoring/key generation
+  environment.systemPackages = with pkgs; [ wireguard-tools tcpdump ];
+
+  # Configure Ethernet interface (eth0)
+  systemd.network.networks."10-egress" = {
+    matchConfig.Name = egress.interface;
+    networkConfig = {
+      DHCP = "no";
+      IPv6AcceptRA = "no";
+      IPv6PrivacyExtensions = "yes";
+      IPv6Forwarding = "yes";
+    };
+
+    address = [ egress.ipv4.address egress.ipv6.address ];
+    gateway = [ egress.ipv4.gateway egress.ipv6.gateway ];
+
+    dns = resolvers;
+  };
+
+  imports = [ ./wireguard.nix ];
+
+  wireguard.interfaces = tunnels;
+
+  networking.firewall = { allowedUDPPorts = map (x: x.serverPort) tunnels; };
+
+  networking.nat = {
+    enable = true;
+    externalInterface = egress.interface;
+    internalInterfaces = map (x: x.interface) tunnels;
+    enableIPv6 = true;
+  };
+
+}
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -0,0 +1,120 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkOption types;
+
+  wgConfigType = types.listOf (types.submodule {
+    options = {
+      interface = mkOption {
+        type = types.str;
+        description = "WireGuard interface name.";
+      };
+      serverAddress = mkOption {
+        type = types.str;
+        description =
+          "IPv6 address with CIDR prefix to bind WireGuard (e.g., 2001:db8::1/64).";
+      };
+      serverPort = mkOption {
+        type = types.port;
+        description = "Port for WireGuard.";
+      };
+      clientAddress = mkOption {
+        type = types.str;
+        description = "Peer IPv6 address with CIDR (e.g., 2001:db8::2/128).";
+      };
+      clientSubnet = mkOption {
+        type = types.str;
+        description = "Peer subnet IPv6 CIDR (e.g., 2001:db8::/64).";
+      };
+      serverPrivateKeyFile = mkOption {
+        type = types.str;
+        description = "Name of the sops secret containing server private key.";
+      };
+      clientPublicKeyFile = mkOption {
+        type = types.str;
+        description = "Name of the sops secret containing client public key.";
+      };
+    };
+  });
+
+  interfaces = config.wireguard.interfaces;
+
+  extract = attr: map (x: x.${attr}) interfaces;
+
+  assertUnique = name: values: {
+    assertion = values == lib.unique values;
+    message =
+      "Duplicate values found for '${name}': ${builtins.toString values}";
+  };
+
+  secretAssertions = lib.flatten (map (cfg: [
+    {
+      assertion = builtins.hasAttr cfg.serverPrivateKeyFile config.sops.secrets;
+      message = "Missing sops secret: ${cfg.serverPrivateKeyFile}";
+    }
+    {
+      assertion = builtins.hasAttr cfg.clientPublicKeyFile config.sops.secrets;
+      message = "Missing sops secret: ${cfg.clientPublicKeyFile}";
+    }
+  ]) interfaces);
+
+  uniquenessAssertions = [
+    (assertUnique "interface" (extract "interface"))
+    (assertUnique "serverAddress" (extract "serverAddress"))
+    (assertUnique "serverPort" (extract "serverPort"))
+    (assertUnique "clientAddress" (extract "clientAddress"))
+    (assertUnique "clientSubnet" (extract "clientSubnet"))
+  ];
+
+in {
+  options.wireguard.interfaces = mkOption {
+    type = wgConfigType;
+    description = "List of WireGuard interface configurations.";
+  };
+
+  config = {
+    sops.secrets = lib.mkMerge (map (cfg: {
+      "${cfg.serverPrivateKeyFile}" = { };
+      "${cfg.clientPublicKeyFile}" = { };
+    }) interfaces);
+
+    assertions = lib.mkAfter (secretAssertions ++ uniquenessAssertions);
+
+    systemd.network.enable = true;
+
+    systemd.network.netdevs = lib.mkMerge (map (cfg: {
+      "${cfg.interface}" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = cfg.interface;
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets.${cfg.serverPrivateKeyFile}.path;
+          ListenPort = cfg.serverPort;
+        };
+        wireguardPeers = [{
+          PublicKeyFile = config.sops.secrets.${cfg.clientPublicKeyFile}.path;
+          AllowedIPs = [ cfg.clientAddress cfg.clientSubnet ];
+        }];
+      };
+    }) interfaces);
+
+    systemd.network.networks = lib.mkMerge (map (cfg: {
+      "${cfg.interface}" = {
+        matchConfig = { Name = cfg.interface; };
+        address = [ cfg.serverAddress ];
+
+        routes = [
+          {
+            Destination = cfg.clientAddress;
+            Scope = "link";
+          }
+          {
+            Destination = cfg.clientSubnet;
+            Scope = "link";
+          }
+        ];
+      };
+    }) interfaces);
+  };
+}
				`@@ -0,0 +1 @@`
				`{ config, pkgs, ... }: { imports = [ ./access.nix ./network.nix ]; }`