From b4e7b0ca3e466f3d211590ecc422bb74f61875e6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:12:20 +0000 Subject: [PATCH 01/13] add kalessin, kilgharrah --- hosts.nix | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/hosts.nix b/hosts.nix index 503a62f..5a8dc4d 100644 --- a/hosts.nix +++ b/hosts.nix @@ -115,13 +115,13 @@ with lib; wireguardKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA="; }; - # kalessin = { - # # hostKey = ""; - # endpoint = "kalessin.birdsong.network"; - # ipv4 = "10.127.1.3"; - # ipv6 = "fd70:81ca:0f8f:1::3"; - # # wireguardKey = ""; - # }; + kalessin = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; + endpoint = "kalessin.birdsong.network"; + ipv4 = "10.127.1.3"; + ipv6 = "fd70:81ca:0f8f:1::3"; + wireguardKey = "9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ="; + }; tohru = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; @@ -132,14 +132,14 @@ with lib; wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18="; }; - # kilgharrah = { - # # hostKey = ""; - # subnet = "weyrhold"; - # endpoint = "192.168.2.1"; - # ipv4 = "10.127.3.1"; - # ipv6 = "fd70:81ca:0f8f:3::1"; - # # wireguardKey = ""; - # }; + kilgharrah = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; + subnet = "weyrhold"; + endpoint = "192.168.2.1"; + ipv4 = "10.127.3.1"; + ipv6 = "fd70:81ca:0f8f:3::1"; + wireguardKey = "LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA="; + }; shaw = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; From 382e0a74af213206eccb9b6b1592c73ac59b16ba Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:41:26 +0000 Subject: [PATCH 02/13] simplify peering --- peering.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peering.nix b/peering.nix index eea580f..f558200 100644 --- a/peering.nix +++ b/peering.nix @@ -103,7 +103,7 @@ in PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive; }; }) - (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts); + (filterAttrs (name: peer: peer != host && (canDirectPeer host peer || canDirectPeer peer host)) hosts); }; networks."30-birdsong" = { From ffe25bd95a49d6595edec6caa432703a48b7a8fd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:41:43 +0000 Subject: [PATCH 03/13] remove systemd.network.enable; this should be set separately --- peering.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/peering.nix b/peering.nix index f558200..9be32f5 100644 --- a/peering.nix +++ b/peering.nix @@ -77,8 +77,6 @@ in networking.firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ]; systemd.network = { - enable = true; - netdevs."30-birdsong" = { netdevConfig = { Name = cfg.interface; From fa0f559d3b41d5fff49ef081f95830270b4662ae Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 11 Nov 2024 20:32:38 +0000 Subject: [PATCH 04/13] Remove deprecated See https://github.com/NixOS/nixpkgs/pull/312472. This nixpkgs PR (targeting 24.11) broke merging of attributes in the deprecated attrset. As the deprecated attrset is likely to be removed altogether soon, instead of reporting upstream, and all our >24.05 systems are in randomcat's repo for now, we judged that the course of least resistance was just to patch the config on a separate branch until 24.11 is released. --- peering.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/peering.nix b/peering.nix index 9be32f5..9c97bd1 100644 --- a/peering.nix +++ b/peering.nix @@ -93,13 +93,11 @@ in in mapAttrsToList (name: peer: { - wireguardPeerConfig = { - PublicKey = peer.wireguardKey; - AllowedIPs = [ peer.ipv4 peer.ipv6 ] - ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; - Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}"; - PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive; - }; + PublicKey = peer.wireguardKey; + AllowedIPs = [ peer.ipv4 peer.ipv6 ] + ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; + Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}"; + PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive; }) (filterAttrs (name: peer: peer != host && (canDirectPeer host peer || canDirectPeer peer host)) hosts); }; From 25a90c1b33d76845252fdd9381e5b114604253b5 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 24 Dec 2024 11:58:39 -0500 Subject: [PATCH 05/13] add groves --- hosts.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts.nix b/hosts.nix index 5a8dc4d..a343481 100644 --- a/hosts.nix +++ b/hosts.nix @@ -132,6 +132,14 @@ with lib; wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18="; }; + groves = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; + subnet = "roaming"; + ipv4 = "10.127.2.2"; + ipv6 = "fd70:81ca:0f8f:2::2"; + wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY="; + }; + kilgharrah = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; subnet = "weyrhold"; From 881078abf8bdc5f7e8bff63288714c6ec245c758 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 24 Dec 2024 22:01:21 -0500 Subject: [PATCH 06/13] bear, reese: init --- hosts.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hosts.nix b/hosts.nix index a343481..a18c6e9 100644 --- a/hosts.nix +++ b/hosts.nix @@ -123,6 +123,22 @@ with lib; wireguardKey = "9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ="; }; + reese = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; + endpoint = "reese.internetcat.org"; + ipv4 = "10.127.1.5"; + ipv6 = "fd70:81ca:0f8f:1::5"; + wireguardKey = "K/wArdwedMwjQULPOjOrPoEwsevaRhBZ3rUrH7pNWHM="; + }; + + bear = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; + endpoint = "bear.internetcat.org"; + ipv4 = "10.127.1.6"; + ipv6 = "fd70:81ca:0f8f:1::6"; + wireguardKey = "mXWQo1Vn2YFr7OhFNc3g7Zbcf/qnwuLx8HHCn6HKwBc="; + }; + tohru = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; subnet = "roaming"; From fd3965ddee060739fb5b63b14e48ba4bb8c8588d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 04:23:57 +0000 Subject: [PATCH 07/13] add option to use systemd credential for wireguard key --- peering.nix | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/peering.nix b/peering.nix index 9c97bd1..817b046 100644 --- a/peering.nix +++ b/peering.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList; cfg = config.birdsong.peering; hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName; hosts = config.birdsong.hosts; @@ -31,12 +31,27 @@ in type = types.bool; }; privateKeyFile = mkOption { + default = null; description = '' - Path to the private key for this peer, as generated by `wg genkey`. Must - be readable by the user "systemd-network"; systemd.netdev(5) recommends - it be owned by "root:systemd-network" with a "0640" file mode. + Path to the private key for this peer, as generated by + {command}`wg genkey`. Must be readable by the user "systemd-network"; + systemd.netdev(5) recommends it be owned by "root:systemd-network" with + a "0640" file mode. Set exactly one of this or + {option}`birdsong.peering.privateKeyCredential`. ''; - type = types.path; + type = with types; nullOr str; + }; + privateKeyCred = mkOption { + default = null; + description = '' + Name of a systemd credential containing a private key for this peer, as + generated by {command}`wg genkey`. Set exactly one of this or + {option}`birdsong.peering.privateKeyFile`. + + To load the credential from an encrypted credential file, set + {option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`. + ''; + type = with types; nullOr str; }; persistentKeepalive = mkOption { default = 0; @@ -60,8 +75,8 @@ in message = "birdsong depends on networkd. systemd.network.enable must be true"; } { - assertion = cfg ? privateKeyFile; - message = "birdsong.peering.privateKeyFile must be set"; + assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null); + message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set"; } { assertion = hostName != null; @@ -84,7 +99,8 @@ in Description = "wireguard tunnel to the birdsong network"; }; wireguardConfig = { - PrivateKeyFile = cfg.privateKeyFile; + PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}"; + PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile; ListenPort = host.port; }; wireguardPeers = From 54c8b67a44ed58f92b6233934387b6e568151336 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 02:53:57 +0000 Subject: [PATCH 08/13] work around systemd unit parameters evaluating through mkIf --- peering.nix | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/peering.nix b/peering.nix index 817b046..b25f215 100644 --- a/peering.nix +++ b/peering.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList; + inherit (lib) types mkIf mkMerge mkOption mkEnableOption optionals filterAttrs mapAttrsToList; cfg = config.birdsong.peering; hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName; hosts = config.birdsong.hosts; @@ -41,7 +41,7 @@ in ''; type = with types; nullOr str; }; - privateKeyCred = mkOption { + privateKeyCredential = mkOption { default = null; description = '' Name of a systemd credential containing a private key for this peer, as @@ -75,8 +75,8 @@ in message = "birdsong depends on networkd. systemd.network.enable must be true"; } { - assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null); - message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set"; + assertion = (cfg.privateKeyCredential != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCredential == null); + message = "exactly one of birdsong.peering.privateKeyCredential or birdsong.peering.privateKeyFile must be set"; } { assertion = hostName != null; @@ -98,11 +98,19 @@ in Kind = "wireguard"; Description = "wireguard tunnel to the birdsong network"; }; - wireguardConfig = { - PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}"; - PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile; - ListenPort = host.port; - }; + + wireguardConfig = mkMerge [ + { + ListenPort = host.port; + } + (mkIf (cfg.privateKeyCredential != null) { + PrivateKey = "@${cfg.privateKeyCredential}"; + }) + (mkIf (cfg.privateKeyFile != null) { + PrivateKeyFile = cfg.privateKeyFile; + }) + ]; + wireguardPeers = let canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet); From 4e461f83a84aba32bdf640163375f1e31b699111 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 14:35:05 +0000 Subject: [PATCH 09/13] Add elucredassa --- hosts.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts.nix b/hosts.nix index a18c6e9..d1b803a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -165,6 +165,15 @@ with lib; wireguardKey = "LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA="; }; + elucredassa = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; + subnet = "weyrhold"; + endpoint = "192.168.2.2"; + ipv4 = "10.127.3.2"; + ipv6 = "fd70:81ca:0f8f:3::2"; + wireguardKey = "hwgf4efFNOtQwCDMpZI4uyPDjzPzHF056pWgobGaxRY="; + }; + shaw = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; subnet = "library"; From 007130e869f1223713d588ba0f125c586ca13623 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 19:51:19 +0000 Subject: [PATCH 10/13] add hosts' SSH keys to known_hosts --- peering.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/peering.nix b/peering.nix index b25f215..8549400 100644 --- a/peering.nix +++ b/peering.nix @@ -132,5 +132,12 @@ in ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; }; }; + + services.openssh.knownHosts = builtins.mapAttrs + (name: host: { + publicKey = host.hostKey; + hostNames = [ host.ipv4 host.ipv6 ]; + }) + hosts; }; } From cc19ed9a39a1c094372de25ca3aef473f817fcac Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Feb 2025 19:07:51 +0000 Subject: [PATCH 11/13] don't conflict with known_hosts specified elsewhere --- peering.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/peering.nix b/peering.nix index 8549400..97cf12d 100644 --- a/peering.nix +++ b/peering.nix @@ -133,8 +133,8 @@ in }; }; - services.openssh.knownHosts = builtins.mapAttrs - (name: host: { + services.openssh.knownHosts = lib.mapAttrs' + (name: host: lib.nameValuePair ("birdsong_" + name) { publicKey = host.hostKey; hostNames = [ host.ipv4 host.ipv6 ]; }) From a40220a4b977bc04cbe9e13ff5c667ed6f252677 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Feb 2025 19:12:03 +0000 Subject: [PATCH 12/13] services.openssh -> programs.ssh --- peering.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peering.nix b/peering.nix index 97cf12d..4fee698 100644 --- a/peering.nix +++ b/peering.nix @@ -133,7 +133,7 @@ in }; }; - services.openssh.knownHosts = lib.mapAttrs' + programs.ssh.knownHosts = lib.mapAttrs' (name: host: lib.nameValuePair ("birdsong_" + name) { publicKey = host.hostKey; hostNames = [ host.ipv4 host.ipv6 ]; From 9955b1ae4eb0cbeff2ae0ed6520e651753880445 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 13 May 2025 17:17:42 +0100 Subject: [PATCH 13/13] add carter --- hosts.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts.nix b/hosts.nix index d1b803a..e467c8e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -156,6 +156,14 @@ with lib; wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY="; }; + carter = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter"; + subnet = "roaming"; + ipv4 = "10.127.2.3"; + ipv6 = "fd70:81ca:0f8f:2::3"; + wireguardKey = "bJVSqLNtcRsZH3fki9sZ8TofgKd8JgRf7z/oHzUjMGk="; + }; + kilgharrah = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; subnet = "weyrhold";