feat: add initial DEI config

rafaelsgirao · Jun 3, 2024 · 01275aa · 01275aa
1 parent bd8b8a0
commit 01275aa
Show file tree

Hide file tree

Showing 7 changed files with 162 additions and 6 deletions.
diff --git a/hosts/scout/machine.nix b/hosts/scout/machine.nix
@@ -21,6 +21,7 @@
     #    ../../modules/libvirt.nix
     ../../modules/impermanence.nix
     ../../modules/docker.nix
+    ../../modules/dei.nix
   ];
 
   services.zfs.expandOnBoot = "all";

diff --git a/modules/core/nix.nix b/modules/core/nix.nix
@@ -115,7 +115,7 @@
 
   '';
 
-  nix.buildMachines = lib.mkIf (!config.rg.isBuilder && config.rg.class == "workstation") [
+  nix.buildMachines = lib.mkIf (false && !config.rg.isBuilder && config.rg.class == "workstation") [
     # {
     # sshUser = "rg";
     # sshKey = "/home/rg/.ssh/id_ed25519";

diff --git a/modules/dei.nix b/modules/dei.nix
@@ -0,0 +1,150 @@
+{ config
+, lib
+, hostSecretsDir
+, ...
+}:
+
+let
+  RNLCert = builtins.fetchurl {
+    url = "https://rnl.tecnico.ulisboa.pt/ca/cacert/cacert.pem";
+    sha256 = "1jiqx6s86hlmpp8k2172ki6b2ayhr1hyr5g2d5vzs41rnva8bl63";
+  };
+in
+{
+
+  security.pki.certificateFiles = [ "${RNLCert}" ];
+  age.secrets = {
+    RNLDEI-wg = {
+      file = "${hostSecretsDir}/RNLDEI-wireguard.age";
+      owner = "root";
+      group = "systemd-network";
+      mode = "0640";
+    };
+  };
+  networking.networkmanager.unmanaged = [ "rnl0" ];
+  networking.firewall.checkReversePath = "loose";
+  systemd.network =
+    let
+      wgrnlFwmark = 765;
+    in
+    {
+      enable = true;
+
+      config.routeTables.rnl = 765;
+
+      netdevs."10-wgrnl" = {
+        enable = true;
+        netdevConfig = {
+          Kind = "wireguard";
+          MTUBytes = "1300";
+          Name = "rnl0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.RNLDEI-wg.path;
+          FirewallMark = wgrnlFwmark;
+          RouteTable = "rnl";
+        };
+        wireguardPeers = [
+          {
+            wireguardPeerConfig = {
+              PublicKey = "g08PXxMmzC6HA+Jxd+hJU0zJdI6BaQJZMgUrv2FdLBY=";
+              Endpoint = "193.136.164.211:34266";
+              AllowedIPs = [
+                # public RNL-operated ranges
+                "193.136.164.0/24"
+                "193.136.154.0/24"
+                "2001:690:2100:80::/58"
+
+                # public 3rd-party ranges
+                "193.136.128.24/29" # DSI-RNL peering
+                "146.193.33.81/32" # INESC watergate
+
+                # private RNL-operated ranges
+                "10.16.64.0/18"
+                "192.168.154.0/24" # Labs AMT
+                "192.168.20.0/24" # wgrnl VPN
+                "fd92:3315:9e43:c490::/64" # wgrnl VPN
+
+                # multicast
+                "224.0.0.0/24"
+                "ff02::/16"
+                "239.255.255.250/32"
+                "239.255.255.253/32"
+                "fe80::/10"
+              ];
+              PersistentKeepalive = 25;
+            };
+          }
+        ];
+      };
+      networks."45-rnl" = {
+        name = "rnl0";
+
+        addresses = [
+          { addressConfig.Address = "192.168.20.75/24"; }
+          {
+            addressConfig.Address = "fd92:3315:9e43:c490::75/64";
+            #addressConfig.DuplicateAddressDetection = "none";
+          }
+        ];
+
+        networkConfig = {
+          LinkLocalAddressing = "no";
+          IPv6AcceptRA = false;
+          #MulticastDNS = true;
+        };
+
+        linkConfig = {
+          Multicast = true;
+          #AllMulticast = true;
+        };
+
+        routingPolicyRules = [
+          {
+            routingPolicyRuleConfig = {
+              InvertRule = true;
+              FirewallMark = wgrnlFwmark;
+              Table = "rnl";
+            };
+          }
+        ];
+
+        ntp = [ "ntp.rnl.tecnico.ulisboa.pt" ];
+
+        dns = [
+          "2001:690:2100:80::1"
+          "193.136.164.2"
+          "2001:690:2100:80::2"
+          "193.136.164.1"
+        ];
+        domains =
+          [
+            # Main domain, with dns search
+            "rnl.tecnico.ulisboa.pt"
+
+            # alt domains
+            # "~rnl.ist.utl.pt"
+            # "~rnl.pt"
+
+            # public ranges (DSI-assigned)
+            "~164.136.193.in-addr.arpa"
+            "~154.136.193.in-addr.arpa"
+            "~8.0.0.0.0.1.2.0.9.6.0.1.0.0.2.ip6.arpa"
+
+            # private ranges (wgrnl VPN)
+            "~20.168.192.in-addr.arpa"
+            "~0.9.4.c.3.4.e.9.5.1.3.3.2.9.d.f.ip6.arpa"
+
+            # private range (Labs AMT)
+            "~154.168.192.in-addr.arpa"
+          ]
+          ++ (
+            # private ranges (DSI-assigned)
+            builtins.map
+              (octet: "~" + (builtins.toString octet) + ".16.10.in-addr.arpa")
+              (lib.range 64 127)
+          );
+      };
+    };
+
+}
diff --git a/modules/hardware/networking.nix b/modules/hardware/networking.nix
@@ -6,17 +6,15 @@ in
 
   networking.networkmanager = lib.mkIf isWorkstation {
     enable = true;
-    unmanaged = [ "nebula0" ];
+    unmanaged = [ "nebula0" "rnl0" "docker0" ];
     # dhcpcd doesn't start properly with malloc
     # see https://github.com/NixOS/nixpkgs/issues/151696
     dhcp = "internal";
     dns = "systemd-resolved"; #this is done upstream.
     connectionConfig = {
       mdns = 2;
     };
-    settings = {
-      "global-dns-domain-*".servers = "192.168.10.9 1.1.1.1";
-    };
+    insertNameservers = [ "192.168.10.9" "1.1.1.1" ];
   };
 
   networking.nameservers = lib.mkIf isWorkstation [ "192.168.10.9" ];

diff --git a/modules/workstation/default.nix b/modules/workstation/default.nix
@@ -455,6 +455,5 @@ in
     libnotify
     nodePackages.prettier
     typst-lsp #for VSCode and such
-    yubioath-flutter
   ];
 }
diff --git a/secrets/scout/RNLDEI-wireguard.age b/secrets/scout/RNLDEI-wireguard.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 SeKWOg tNx8P/a7NbwFsxsOSsulKhL31nZ4H7dHWXaCpB8kwk4
+PXHvXbeR9yXrF4sIAwvnWA1te+/mQEx97sYqt7e94Uo
+-> ssh-ed25519 iCe9kg SHEgw+/Z3vrMm0jF6QugApKojcxwzy550nMGeGFOn0U
+ntF5Spq6nubJujpqcjSCkWAE//+SCP9nAln/3wKGsE8
+--- pxKUl3F6qQh027pLSwVqg/t5dD+M327W/zSHjF4ambo
+�%Q���Uƪ~����Sȡ���0�C^�O���~$U։�I��,*�p��˵odh���J{_ֽ���\��

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -32,6 +32,7 @@ in
   "scout/RGNet-key.age".publicKeys = [ scout ] ++ users;
   "scout/RGNet-cert.age".publicKeys = [ scout ] ++ users;
   "scout/unFTP-creds.age".publicKeys = [ scout ] ++ users;
+  "scout/RNLDEI-wireguard.age".publicKeys = [ scout ] ++ users;
 
   #Spy secrets
   "spy/ENV-attic.age".publicKeys = [ spy ] ++ users;