1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
{
nixosConfigurations,
machines,
machineConfig,
config,
lib,
...
}:
let
inherit (lib) types;
cfg = config.zpha.profiles.dn42;
in
{
options.zpha.profiles.dn42 = {
enable = lib.mkEnableOption "";
addresses = lib.mkOption {
type = types.listOf types.str;
default = [
"${machineConfig.networking.dn42.ip6Address}/${toString machineConfig.networking.dn42.ip6PrefixLength}"
];
};
wgPrivateKey = lib.mkOption {
type = types.path;
default = config.sops.secrets."wgPrivateKey".path;
};
wgPublicKey = lib.mkOption {
type = types.str;
default = machineConfig.wgPublicKey;
};
};
config = lib.mkIf cfg.enable {
dns.zones."zaphyra.dn42".subdomains."${config.networking.hostName}".AAAA = [
((lib.network.ipv6.fromString (lib.elemAt cfg.addresses 0)).address)
];
security.acme.certs."${config.networking.hostName}.zaphyra.dn42" = {
server = "https://acme.burble.dn42/v1/dn42/acme/directory";
validMinDays = 20;
keyType = "ec384";
dnsProvider = null;
};
services.nginx.virtualHosts."${config.networking.hostName}.zaphyra.dn42" = {
enableACME = true;
forceSSL = true;
kTLS = true;
};
services.resolved = {
enable = true;
fallbackDns = [
"8.8.8.8"
"2001:4860:4860::8844"
];
};
systemd.network = {
netdevs."20-dn42" = {
netdevConfig = {
Kind = "wireguard";
Name = "dn42";
MTUBytes = 1280;
};
wireguardConfig = {
PrivateKeyFile = cfg.wgPrivateKey;
ListenPort = 1718;
FirewallMark = 1718;
};
wireguardPeers =
if config.zpha.configure.dn42Router.enable then
(lib.pipe nixosConfigurations [
(lib.filterAttrs (name: _: name != config.networking.hostName))
(lib.filterAttrs (_: value: value.config.zpha.profiles.dn42.enable))
(lib.mapAttrsToList (
name: value: {
PublicKey = value.config.zpha.profiles.dn42.wgPublicKey;
AllowedIPs = value.config.zpha.profiles.dn42.addresses;
PersistentKeepalive = 10;
}
))
])
++ [
{
# zaphyraThinkPad
PublicKey = "7drlp9TmHgSgqSR1PynfAzf8BIH4LWVuFDtPqGs88EY=";
AllowedIPs = [ "fd6b:6174:6a61::20/128" ];
PersistentKeepalive = 10;
}
{
# zaphyraApplePhone
PublicKey = "3rp8iD+Nk9DsyM/JCvrV7bBnEzioG30SDqOQhNWwsVs=";
AllowedIPs = [ "fd6b:6174:6a61::21/128" ];
PersistentKeepalive = 10;
}
{
# zaphyraPixel
PublicKey = "ski1Uya2PSCZsrBblcgoM9WL5h+1KAd61uZD2sfRDjE=";
AllowedIPs = [ "fd6b:6174:6a61::22/128" ];
PersistentKeepalive = 10;
}
{
# zaphyraFramework
PublicKey = "YdseqpjpKGV7JWWDEJOAtqB3tzk7vI/gPFiqmCyeVTM=";
AllowedIPs = [ "fd6b:6174:6a61::23/128" ];
PersistentKeepalive = 10;
}
]
else
[
{
PublicKey = machines.sorrah.networking.dn42.wgPublicKey;
Endpoint = "[${machines.sorrah.networking.ip6Address}]:1718";
AllowedIPs = [ "fd00::/8" ];
PersistentKeepalive = 10;
}
];
};
networks."20-dn42" = {
matchConfig.Name = "dn42";
linkConfig.RequiredForOnline = false;
address = cfg.addresses;
}
// (
if config.zpha.configure.dn42Router.enable then
{ }
else
{
routes = [ { Destination = "fd00::/8"; } ];
networkConfig = {
DNSDefaultRoute = false;
DNS = [ "fd6b:6174:6a61::1" ];
Domains = [
"~dn42"
"d.f.ip6.arpa"
];
};
}
);
};
#dn42 root ca
security.pki.certificates = lib.singleton ''
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
C0IKqQ==
-----END CERTIFICATE-----
'';
};
}