diff options
| author | lassulus <lassulus@lassul.us> | 2018-12-16 16:11:02 +0100 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2018-12-16 16:11:02 +0100 |
| commit | 24330950fe2bd31056e3ae1d58c1965c8a736f1f (patch) | |
| tree | 7f4a8aeb6ebcf326f896abb0824fcdf62b6bbd84 | |
| parent | 9e464d988859395466543d62f94b71229791628d (diff) | |
wirelum -> wiregrill
| -rw-r--r-- | krebs/3modules/lass/default.nix | 18 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/blue.nix | 4 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/wiregrill.nix | 44 | ||||
| -rw-r--r-- | lass/2configs/wirelum.nix | 44 | ||||
| -rw-r--r-- | lass/5pkgs/l-gen-secrets/default.nix | 8 | ||||
| -rw-r--r-- | lib/krebs/genipv6.nix | 4 |
8 files changed, 65 insertions, 65 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 1eac198fa..1117dc61c 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -8,7 +8,7 @@ with import <stockholm/lib>; }; r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; - w6 = ip: (krebs.genipv6 "wirelum" "lass" ip).address; + w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; in { dns.providers = { @@ -89,7 +89,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { via = internet; ip4.addr = "10.244.1.1"; ip6.addr = w6 "1"; @@ -191,7 +191,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "dea7"; aliases = [ "mors.w" @@ -224,7 +224,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "50da"; aliases = [ "shodan.w" @@ -257,7 +257,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "1205"; aliases = [ "icarus.w" @@ -419,7 +419,7 @@ in { -----END PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "3110"; aliases = [ "yellow.w" @@ -456,7 +456,7 @@ in { -----END PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "b1ce"; aliases = [ "blue.w" @@ -469,7 +469,7 @@ in { }; phone = { nets = { - wirelum = { + wiregrill = { ip4.addr = "10.244.1.2"; ip6.addr = w6 "a"; aliases = [ @@ -506,7 +506,7 @@ in { -----END RSA PUBLIC KEY----- ''; }; - wirelum = { + wiregrill = { ip6.addr = w6 "012f"; aliases = [ "morpheus.w" diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 962a77cc2..6c454b4ac 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -298,15 +298,15 @@ with import <stockholm/lib>; } { imports = [ - <stockholm/lass/2configs/wirelum.nix> + <stockholm/lass/2configs/wiregrill.nix> ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wirelum -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wirelum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; } diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 6dc2b1213..cdd77e847 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -22,9 +22,9 @@ with (import <stockholm/lib>); krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i wirelum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} - { predicate = "-i wirelum -p tcp --dport 9999"; target = "ACCEPT";} + { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";} ]; systemd.services.chat = let diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dea32d4d4..62a42baf9 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,7 +10,7 @@ with import <stockholm/lib>; ./zsh.nix ./htop.nix ./security-workarounds.nix - ./wirelum.nix + ./wiregrill.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix new file mode 100644 index 000000000..b2ee35df3 --- /dev/null +++ b/lass/2configs/wiregrill.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wiregrill; + isRouter = !isNull self.via; + +in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ + { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + ]; + + networking.wireguard.interfaces.wiregrill = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ + (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) + else + host.nets.wiregrill.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; + publicKey = host.nets.wiregrill.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; +} diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix deleted file mode 100644 index cd8a20c6b..000000000 --- a/lass/2configs/wirelum.nix +++ /dev/null @@ -1,44 +0,0 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: let - - self = config.krebs.build.host.nets.wirelum; - isRouter = !isNull self.via; - -in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) { - #hack for modprobe inside containers - systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [ - (pkgs.writeDashBin "modprobe" ":") - ]); - - boot.kernel.sysctl = mkIf isRouter { - "net.ipv6.conf.all.forwarding" = 1; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; } - ]; - - networking.wireguard.interfaces.wirelum = { - ips = - (optional (!isNull self.ip4) self.ip4.addr) ++ - (optional (!isNull self.ip6) self.ip6.addr); - listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wirelum.key"; - allowedIPsAsRoutes = true; - peers = mapAttrsToList - (_: host: { - allowedIPs = if isRouter then - (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++ - (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr) - else - host.nets.wirelum.wireguard.subnets - ; - endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}"); - persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61; - publicKey = host.nets.wirelum.wireguard.pubkey; - }) - (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts); - }; -} diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 5997dca09..85b050644 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -8,8 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" '' ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wirelum.key - ${pkgs.coreutils}/bin/cat $TMPDIR/wirelum.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wirelum.pub + ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub cat <<EOF > $TMPDIR/hashedPasswords.nix { root = "$HASHED_PASSWORD"; @@ -37,13 +37,13 @@ pkgs.writeDashBin "l-gen-secrets" '' $(cat $TMPDIR/retiolum.rsa_key.pub) ${"''"}; }; - wirelum = { + wiregrill = { ip6.addr = (wip6 "changeme").address; aliases = [ "$HOSTNAME.w" ]; wireguard.pubkey = ${"''"} - $(cat $TMPDIR/wirelum.pub) + $(cat $TMPDIR/wiregrill.pub) ${"''"}; }; }; diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix index 1d3f398ec..22a23fcef 100644 --- a/lib/krebs/genipv6.nix +++ b/lib/krebs/genipv6.nix @@ -16,12 +16,12 @@ let { normalize-ip6-addr (appendZeros addressLength netPrefix); netHash = toString { retiolum = 0; - wirelum = 1; + wiregrill = 1; }.${netname}; netPrefix = "42:${netHash}"; netPrefixLength = { retiolum = 32; - wirelum = 32; + wiregrill = 32; }.${netname}; inherit subnetname; |