From 25a90c1b33d76845252fdd9381e5b114604253b5 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 24 Dec 2024 11:58:39 -0500 Subject: [PATCH 1/9] add groves --- hosts.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts.nix b/hosts.nix index 5a8dc4d..a343481 100644 --- a/hosts.nix +++ b/hosts.nix @@ -132,6 +132,14 @@ with lib; wireguardKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18="; }; + groves = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; + subnet = "roaming"; + ipv4 = "10.127.2.2"; + ipv6 = "fd70:81ca:0f8f:2::2"; + wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY="; + }; + kilgharrah = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; subnet = "weyrhold"; From 881078abf8bdc5f7e8bff63288714c6ec245c758 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 24 Dec 2024 22:01:21 -0500 Subject: [PATCH 2/9] bear, reese: init --- hosts.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hosts.nix b/hosts.nix index a343481..a18c6e9 100644 --- a/hosts.nix +++ b/hosts.nix @@ -123,6 +123,22 @@ with lib; wireguardKey = "9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ="; }; + reese = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; + endpoint = "reese.internetcat.org"; + ipv4 = "10.127.1.5"; + ipv6 = "fd70:81ca:0f8f:1::5"; + wireguardKey = "K/wArdwedMwjQULPOjOrPoEwsevaRhBZ3rUrH7pNWHM="; + }; + + bear = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; + endpoint = "bear.internetcat.org"; + ipv4 = "10.127.1.6"; + ipv6 = "fd70:81ca:0f8f:1::6"; + wireguardKey = "mXWQo1Vn2YFr7OhFNc3g7Zbcf/qnwuLx8HHCn6HKwBc="; + }; + tohru = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; subnet = "roaming"; From fd3965ddee060739fb5b63b14e48ba4bb8c8588d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 04:23:57 +0000 Subject: [PATCH 3/9] add option to use systemd credential for wireguard key --- peering.nix | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/peering.nix b/peering.nix index 9c97bd1..817b046 100644 --- a/peering.nix +++ b/peering.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList; cfg = config.birdsong.peering; hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName; hosts = config.birdsong.hosts; @@ -31,12 +31,27 @@ in type = types.bool; }; privateKeyFile = mkOption { + default = null; description = '' - Path to the private key for this peer, as generated by `wg genkey`. Must - be readable by the user "systemd-network"; systemd.netdev(5) recommends - it be owned by "root:systemd-network" with a "0640" file mode. + Path to the private key for this peer, as generated by + {command}`wg genkey`. Must be readable by the user "systemd-network"; + systemd.netdev(5) recommends it be owned by "root:systemd-network" with + a "0640" file mode. Set exactly one of this or + {option}`birdsong.peering.privateKeyCredential`. ''; - type = types.path; + type = with types; nullOr str; + }; + privateKeyCred = mkOption { + default = null; + description = '' + Name of a systemd credential containing a private key for this peer, as + generated by {command}`wg genkey`. Set exactly one of this or + {option}`birdsong.peering.privateKeyFile`. + + To load the credential from an encrypted credential file, set + {option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`. + ''; + type = with types; nullOr str; }; persistentKeepalive = mkOption { default = 0; @@ -60,8 +75,8 @@ in message = "birdsong depends on networkd. systemd.network.enable must be true"; } { - assertion = cfg ? privateKeyFile; - message = "birdsong.peering.privateKeyFile must be set"; + assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null); + message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set"; } { assertion = hostName != null; @@ -84,7 +99,8 @@ in Description = "wireguard tunnel to the birdsong network"; }; wireguardConfig = { - PrivateKeyFile = cfg.privateKeyFile; + PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}"; + PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile; ListenPort = host.port; }; wireguardPeers = From 54c8b67a44ed58f92b6233934387b6e568151336 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 02:53:57 +0000 Subject: [PATCH 4/9] work around systemd unit parameters evaluating through mkIf --- peering.nix | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/peering.nix b/peering.nix index 817b046..b25f215 100644 --- a/peering.nix +++ b/peering.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList; + inherit (lib) types mkIf mkMerge mkOption mkEnableOption optionals filterAttrs mapAttrsToList; cfg = config.birdsong.peering; hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName; hosts = config.birdsong.hosts; @@ -41,7 +41,7 @@ in ''; type = with types; nullOr str; }; - privateKeyCred = mkOption { + privateKeyCredential = mkOption { default = null; description = '' Name of a systemd credential containing a private key for this peer, as @@ -75,8 +75,8 @@ in message = "birdsong depends on networkd. systemd.network.enable must be true"; } { - assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null); - message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set"; + assertion = (cfg.privateKeyCredential != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCredential == null); + message = "exactly one of birdsong.peering.privateKeyCredential or birdsong.peering.privateKeyFile must be set"; } { assertion = hostName != null; @@ -98,11 +98,19 @@ in Kind = "wireguard"; Description = "wireguard tunnel to the birdsong network"; }; - wireguardConfig = { - PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}"; - PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile; - ListenPort = host.port; - }; + + wireguardConfig = mkMerge [ + { + ListenPort = host.port; + } + (mkIf (cfg.privateKeyCredential != null) { + PrivateKey = "@${cfg.privateKeyCredential}"; + }) + (mkIf (cfg.privateKeyFile != null) { + PrivateKeyFile = cfg.privateKeyFile; + }) + ]; + wireguardPeers = let canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet); From 4e461f83a84aba32bdf640163375f1e31b699111 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 14:35:05 +0000 Subject: [PATCH 5/9] Add elucredassa --- hosts.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts.nix b/hosts.nix index a18c6e9..d1b803a 100644 --- a/hosts.nix +++ b/hosts.nix @@ -165,6 +165,15 @@ with lib; wireguardKey = "LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA="; }; + elucredassa = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; + subnet = "weyrhold"; + endpoint = "192.168.2.2"; + ipv4 = "10.127.3.2"; + ipv6 = "fd70:81ca:0f8f:3::2"; + wireguardKey = "hwgf4efFNOtQwCDMpZI4uyPDjzPzHF056pWgobGaxRY="; + }; + shaw = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; subnet = "library"; From 007130e869f1223713d588ba0f125c586ca13623 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 19:51:19 +0000 Subject: [PATCH 6/9] add hosts' SSH keys to known_hosts --- peering.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/peering.nix b/peering.nix index b25f215..8549400 100644 --- a/peering.nix +++ b/peering.nix @@ -132,5 +132,12 @@ in ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; }; }; + + services.openssh.knownHosts = builtins.mapAttrs + (name: host: { + publicKey = host.hostKey; + hostNames = [ host.ipv4 host.ipv6 ]; + }) + hosts; }; } From cc19ed9a39a1c094372de25ca3aef473f817fcac Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Feb 2025 19:07:51 +0000 Subject: [PATCH 7/9] don't conflict with known_hosts specified elsewhere --- peering.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/peering.nix b/peering.nix index 8549400..97cf12d 100644 --- a/peering.nix +++ b/peering.nix @@ -133,8 +133,8 @@ in }; }; - services.openssh.knownHosts = builtins.mapAttrs - (name: host: { + services.openssh.knownHosts = lib.mapAttrs' + (name: host: lib.nameValuePair ("birdsong_" + name) { publicKey = host.hostKey; hostNames = [ host.ipv4 host.ipv6 ]; }) From a40220a4b977bc04cbe9e13ff5c667ed6f252677 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Feb 2025 19:12:03 +0000 Subject: [PATCH 8/9] services.openssh -> programs.ssh --- peering.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peering.nix b/peering.nix index 97cf12d..4fee698 100644 --- a/peering.nix +++ b/peering.nix @@ -133,7 +133,7 @@ in }; }; - services.openssh.knownHosts = lib.mapAttrs' + programs.ssh.knownHosts = lib.mapAttrs' (name: host: lib.nameValuePair ("birdsong_" + name) { publicKey = host.hostKey; hostNames = [ host.ipv4 host.ipv6 ]; From 9955b1ae4eb0cbeff2ae0ed6520e651753880445 Mon Sep 17 00:00:00 2001 From: Janet Cobb Date: Tue, 13 May 2025 17:17:42 +0100 Subject: [PATCH 9/9] add carter --- hosts.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts.nix b/hosts.nix index d1b803a..e467c8e 100644 --- a/hosts.nix +++ b/hosts.nix @@ -156,6 +156,14 @@ with lib; wireguardKey = "Tsbw77gIsoa3eBWZpQwZAM6EPpq+7yS33qoFHS4tXlY="; }; + carter = { + hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter"; + subnet = "roaming"; + ipv4 = "10.127.2.3"; + ipv6 = "fd70:81ca:0f8f:2::3"; + wireguardKey = "bJVSqLNtcRsZH3fki9sZ8TofgKd8JgRf7z/oHzUjMGk="; + }; + kilgharrah = { hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; subnet = "weyrhold";