diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix index f50dd68..24ceb3d 100644 --- a/hosts/fw.cloonar.com/configuration.nix +++ b/hosts/fw.cloonar.com/configuration.nix @@ -17,6 +17,7 @@ ./modules/unbound.nix ./modules/avahi.nix ./modules/openconnect.nix + ./modules/wireguard.nix ./hardware-configuration.nix ]; diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw.cloonar.com/modules/dhcp4.nix index 311522d..c12e89d 100644 --- a/hosts/fw.cloonar.com/modules/dhcp4.nix +++ b/hosts/fw.cloonar.com/modules/dhcp4.nix @@ -27,6 +27,12 @@ ]; subnet = "10.42.96.0/24"; interface = "lan"; + option-data = [ + { + name = "domain-name"; + value = "cloonar.com"; + } + ]; reservations = [ { hw-address = "98:b6:e9:b6:ef:f4"; @@ -53,6 +59,12 @@ ]; subnet = "10.42.97.0/24"; interface = "server"; + option-data = [ + { + name = "domain-name"; + value = "cloonar.com"; + } + ]; reservations = [ { hw-address = "0a:0e:52:a2:f7:8e"; @@ -74,6 +86,12 @@ ]; subnet = "10.42.99.0/24"; interface = "multimedia"; + option-data = [ + { + name = "domain-name"; + value = "cloonar.multimedia"; + } + ]; } { pools = [ @@ -92,6 +110,12 @@ ]; subnet = "10.42.254.0/24"; interface = "smart"; + option-data = [ + { + name = "domain-name"; + value = "cloonar.smart"; + } + ]; reservations = [ { hw-address = "7a:5a:d6:d0:29:fe"; @@ -162,7 +186,45 @@ } ]; dhcp-ddns = { + ip-address = "127.0.0.1"; + port = 53001; enable-updates = true; + forward-ddns = { + ddns-domains = [ + { + name = "cloonar.com."; + key-name = "dhcp1-ns1"; + dns-servers = [ + { ip-address = "127.0.0.1" } + ]; + } + { + name = "cloonar.smart."; + key-name = "dhcp1-ns1"; + dns-servers = [ + { ip-address = "127.0.0.1" } + ]; + } + { + name = "cloonar.multimedia."; + key-name = "dhcp1-ns1"; + dns-servers = [ + { ip-address = "127.0.0.1" } + ]; + } + ]; + }; + reverse-ddns = { + ddns-domains = [ + { + name = "42.10.in-addr.arpa."; + key-name = "dhcp1-ns1"; + dns-servers = [ + { ip-address = "127.0.0.1" } + ]; + } + ]; + }; }; valid-lifetime = 4000; }; diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index 95313a0..d65d244 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -3,6 +3,7 @@ enable = true; server = { interface = [ "10.42.96.1" "10.42.97.1" "10.42.99.1" "10.42.254.1" ]; + tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem" }; local-data = [ "localhost A 127.0.0.1" @@ -65,7 +66,6 @@ "10.42.97.9 cl-storage-01.cloonar.com" "10.42.97.118 git.cloonar.com" - "10.254.235.22 stage.wsw.at" "10.254.217.23 prod.wsw.at" "10.254.240.109 wohnservice-wien.at" @@ -113,4 +113,10 @@ } ]; }; + + security.acme.certs.fw = { + domain = "fw.cloonar.com"; + user = config.services.unbound.user; + group = config.services.unbound.group; + }; } diff --git a/hosts/fw.cloonar.com/modules/wireguard.nix b/hosts/fw.cloonar.com/modules/wireguard.nix new file mode 100644 index 0000000..2603294 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/wireguard.nix @@ -0,0 +1,22 @@ +{ ... }: { + sops.secrets.wg0_key = {}; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.42.98.1/24" ]; + listenPort = 51820; + # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q= + privateKeyFile = config.sops.secrets.wg0_key.path; + peers = [ + { # Notebook + publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8="; + allowedIPs = [ "10.42.98.201/32" ]; + } + { # iPhone + publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0="; + allowedIPs = [ "10.42.98.202/32" ]; + } + ]; + }; + }; +}