diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index ca5bcb6..a6c2f48 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -9,6 +9,10 @@ in { wireguard.proxy-sentinel = { client.via = "sentinel"; firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; + }; + + wireguard.proxy-home = { + client.via = "ward"; firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; }; @@ -82,7 +86,7 @@ in { nodes.ward-web-proxy = { services.nginx = { upstreams.grafana = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; + servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; extraConfig = '' zone grafana 64k; keepalive 2; diff --git a/hosts/sire/guests/minecraft.nix b/hosts/sire/guests/minecraft.nix index e4203d9..0b0eafb 100644 --- a/hosts/sire/guests/minecraft.nix +++ b/hosts/sire/guests/minecraft.nix @@ -360,8 +360,9 @@ in { ]; nodes.sentinel = { - # Make sure to masquerade 25565 (wan) -> 25565 (proxy-sentinel) - # Make sure to masquerade 25566 (wan) -> 25566 (proxy-sentinel) + # Rewrite destination addr with dnat on incoming connections + # and masquerade responses to make them look like they originate from this host. + # - 25565,25566 (wan) -> 25565,25566 (proxy-sentinel) networking.nftables.chains = { postrouting.to-minecraft = { after = ["hook"]; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 6664b4b..a3ce9fe 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -84,11 +84,11 @@ in { # Use the local mirror-proxy for some services (not necessary, just for speed) { domain = nodes.sentinel.config.networking.providedDomains.grafana; - answer = "192.168.1.1"; + answer = "192.168.1.4"; # web-proxy } { domain = nodes.sentinel.config.networking.providedDomains.immich; - answer = "192.168.1.1"; + answer = "192.168.1.4"; # web-proxy } ]; filters = [ diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 61a1692..b9b8e9a 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -29,7 +29,9 @@ in { nodes.sentinel = { networking.providedDomains.forgejo = forgejoDomain; - # Make sure to masquerade 9922 (wan) -> 22 (proxy-sentinel) + # Rewrite destination addr with dnat on incoming connections + # and masquerade responses to make them look like they originate from this host. + # - 9922 (wan) -> 22 (proxy-sentinel) networking.nftables.chains = { postrouting.to-forgejo = { after = ["hook"]; diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 1918410..1677f37 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -1,6 +1,8 @@ {config, ...}: let inherit (config.repo.secrets.local) acme; in { + wireguard.proxy-home.client.via = "ward"; + age.secrets.acme-cloudflare-dns-token = { rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age"; mode = "440"; @@ -27,10 +29,6 @@ in { inherit (acme) certs wildcardDomains; }; - #nodes.sentinel = { - # # port forward 80,443 (ward) to 80,443 (web-proxy) - #}; - users.groups.acme.members = ["nginx"]; services.nginx.enable = true; services.nginx.recommendedSetup = true; diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix index 80bc3d9..9af4426 100644 --- a/hosts/ward/kea.nix +++ b/hosts/ward/kea.nix @@ -7,6 +7,7 @@ inherit (lib) net; lanCidrv4 = "192.168.1.0/24"; dnsIp = net.cidr.host 3 lanCidrv4; + webProxyIp = net.cidr.host 4 lanCidrv4; in { # TODO make meta.kea module? # TODO reserve by default using assignIps algo? @@ -49,6 +50,10 @@ in { hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; ip-address = dnsIp; } + { + hw-address = nodes.ward-web-proxy.config.lib.microvm.mac; + ip-address = webProxyIp; + } { hw-address = nodes.sire-samba.config.lib.microvm.mac; ip-address = net.cidr.host 10 lanCidrv4; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 259a854..03b1134 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -111,6 +111,20 @@ in { verdict = "accept"; }; + lan-to-local = { + from = ["lan"]; + to = ["local"]; + + allowedUDPPorts = [config.wireguard.proxy-home.server.port]; + }; + + # Forward traffic between participants + forward-proxy-home-vpn-traffic = { + from = ["proxy-home"]; + to = ["proxy-home"]; + verdict = "accept"; + }; + #masquerade-vpn = { # from = ["wg-home"]; # to = ["lan"]; @@ -135,4 +149,11 @@ in { # reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"]; # openFirewall = true; #}; + + wireguard.proxy-home.server = { + host = "192.168.1.1"; + port = 51444; + reservedAddresses = ["10.44.0.0/24" "fd00:44::/120"]; + openFirewall = false; # Explicitly opened only for lan + }; } diff --git a/secrets/rekeyed/sire-grafana/0a8882c335fc3dea59c133350e4debb0-wireguard-proxy-home-psks-sire-grafana+ward.age b/secrets/rekeyed/sire-grafana/0a8882c335fc3dea59c133350e4debb0-wireguard-proxy-home-psks-sire-grafana+ward.age new file mode 100644 index 0000000..d676aaa --- /dev/null +++ b/secrets/rekeyed/sire-grafana/0a8882c335fc3dea59c133350e4debb0-wireguard-proxy-home-psks-sire-grafana+ward.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 B7KO8w zu1oBpXzNBiaBfC/mvByu5ANim3bR8gQagtgBYagn1U +KD/fQXr+onY/xjQbdvFhHcZZeM3sxDy8/t+b+6tA6yY +-> U'U]!k-grease YMj *I2Pb P b7-a +77DIyjlP4NYKKNwTW2cw4f1LRG6thm/qMaiFSImdxEU4HnVPjG5pZjIYcwCd2VbF +2/XIqln4GRex6vQ +--- 0R+PKfBFabTixZupYfw1XzrbLSwMDtDiDywMjYBf360 +`4L9L Pq'OzAU2pH \UY9Rpd!qgΖ`"aiU&=6u> \ No newline at end of file diff --git a/secrets/rekeyed/sire-grafana/bc7b1994bea7dca5fee13a43ea98b611-wireguard-proxy-home-priv-sire-grafana.age b/secrets/rekeyed/sire-grafana/bc7b1994bea7dca5fee13a43ea98b611-wireguard-proxy-home-priv-sire-grafana.age new file mode 100644 index 0000000..233dc74 Binary files /dev/null and b/secrets/rekeyed/sire-grafana/bc7b1994bea7dca5fee13a43ea98b611-wireguard-proxy-home-priv-sire-grafana.age differ diff --git a/secrets/rekeyed/ward-web-proxy/00bc749b81ecaa1f3bff46c4e9202d7c-wireguard-proxy-home-priv-ward-web-proxy.age b/secrets/rekeyed/ward-web-proxy/00bc749b81ecaa1f3bff46c4e9202d7c-wireguard-proxy-home-priv-ward-web-proxy.age new file mode 100644 index 0000000..190be28 Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/00bc749b81ecaa1f3bff46c4e9202d7c-wireguard-proxy-home-priv-ward-web-proxy.age differ diff --git a/secrets/rekeyed/ward-web-proxy/53f02080ea6c3c8f59913279497ecee8-wireguard-proxy-home-psks-ward+ward-web-proxy.age b/secrets/rekeyed/ward-web-proxy/53f02080ea6c3c8f59913279497ecee8-wireguard-proxy-home-psks-ward+ward-web-proxy.age new file mode 100644 index 0000000..5080673 --- /dev/null +++ b/secrets/rekeyed/ward-web-proxy/53f02080ea6c3c8f59913279497ecee8-wireguard-proxy-home-psks-ward+ward-web-proxy.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 NwOpTA M3XfBa56BbC4MvQSsfz6JuF+482KHcKyTyuac0kDUAg +IQSmZgcOAvcGHseNGiZWakS1iPitMfnK663w/wPAfi8 +-> gn{-grease 6Xd(xF +WTqjUqa1wVkv4QncJMrB9lf/q+j8ONd77ihZYfK2eDVVpeFMoQJmkFK90LQPp4kI +KA9Pev4gn30gsn0 +--- I5yMQv1OPtVGGIukGMfGXohgFaPu1TxUx9xHIag4Z2g +34sx|3]6 2Wl_>R8ߢP: + v̶M} |zvUsի \ No newline at end of file diff --git a/secrets/rekeyed/ward/5702f71177f7beb0e43a6d154b3817ac-wireguard-proxy-home-priv-ward.age b/secrets/rekeyed/ward/5702f71177f7beb0e43a6d154b3817ac-wireguard-proxy-home-priv-ward.age new file mode 100644 index 0000000..27a4ba1 --- /dev/null +++ b/secrets/rekeyed/ward/5702f71177f7beb0e43a6d154b3817ac-wireguard-proxy-home-priv-ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iNceIg gJLsRK+YwOX06FcZc5DvsVc6ldDn7p7ZFGWUqKVKEC0 +McHR+wTpJzcz5rY0bhBxTMoGSECoGnkHL/M03VigXQs +-> 1^\gvk-grease p7(Ne @R,@K7} j2*> +1hxCbkcrk5zR/Z8fhGEtJtQR6IxOphV4pCu4o6L0ZNXMeaLwIvaRbisR8+mY +--- iGtzzmAXtd5zQy2yq3Y4mIbpCtgUF5KlN6GDUOdBkDE +8#)*|c2)BW!b8ALJ9%g!@%3l. {ҪU~YF -`È؝6 \ No newline at end of file diff --git a/secrets/rekeyed/ward/78fe89e07283f0eaf30e5a2856ad6013-wireguard-proxy-home-psks-ward+ward-web-proxy.age b/secrets/rekeyed/ward/78fe89e07283f0eaf30e5a2856ad6013-wireguard-proxy-home-psks-ward+ward-web-proxy.age new file mode 100644 index 0000000..66a862d --- /dev/null +++ b/secrets/rekeyed/ward/78fe89e07283f0eaf30e5a2856ad6013-wireguard-proxy-home-psks-ward+ward-web-proxy.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 iNceIg 8emaUUHPZjqD1R5y+35VdOXhU0h/RF5tM1ZMXaOzimI +CctB9o3TCAcBfQdqtfQADApjnRA08XWYOYh/yVmQdBs +-> >,)ts-grease +~0KV. G>[Ld#H "1ul/\ qi4Ed +NppQ/1aBVln6ceOkcU1W0k1DC2aQppstXA +--- i81cVk+uP3rCX2QMb0npH+YkxSbajCxqEA2BwTMXmEM +qmܒd"{vq U\`;`Y 'A'oQ`| +B.޴ L>#{@. \ No newline at end of file diff --git a/secrets/rekeyed/ward/f989d3e7076a554bd3feb4a229ee164d-wireguard-proxy-home-psks-sire-grafana+ward.age b/secrets/rekeyed/ward/f989d3e7076a554bd3feb4a229ee164d-wireguard-proxy-home-psks-sire-grafana+ward.age new file mode 100644 index 0000000..3038237 Binary files /dev/null and b/secrets/rekeyed/ward/f989d3e7076a554bd3feb4a229ee164d-wireguard-proxy-home-psks-sire-grafana+ward.age differ diff --git a/secrets/wireguard/proxy-home/keys/sire-grafana.age b/secrets/wireguard/proxy-home/keys/sire-grafana.age new file mode 100644 index 0000000..d9be9f1 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-grafana.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 Rw/oOZBjevIBjQ/IP9PZKr5C5K7fjc34bK4TIXSsp08 +7/RDuF5ZD6p9aGLowMVH6BhVEiZS5CZvj5e6QEoPSuE +-> piv-p256 xqSe8Q Akzj6/Ss/29QvrRa85ENsvoTVCd/Y3i95R2aLW6ce5e/ +aSBOCWaS/XqWPXFP2IJaLTexnuIvL3QcvA7yw+eGiv8 +-> 6No!9:-grease cHGyS-9 +T7E +--- 9ZR3RpInJ+zR55nhx86OwjpcKJme/bTayn0ICqyd7pE +50EzC$c5.Gdg\.a̝)\2y3HA,LL,fQ;pAME|(^vg \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/sire-grafana.pub b/secrets/wireguard/proxy-home/keys/sire-grafana.pub new file mode 100644 index 0000000..b457648 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-grafana.pub @@ -0,0 +1 @@ +QxmAb3B+VxRsmZtLA0dZIyhcMEl9eF5pjI9PVHjt12A= diff --git a/secrets/wireguard/proxy-home/keys/ward-web-proxy.age b/secrets/wireguard/proxy-home/keys/ward-web-proxy.age new file mode 100644 index 0000000..903e1ff --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/ward-web-proxy.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 03m127mzQrZzG+i0lCiYxE1LDmV66p7x85lAr7kvdQM +p7L8vQHqGzFzgLRykoG8djYuEZGaZs1vHsv6/2soxQA +-> piv-p256 xqSe8Q ArF+jT+zyRUCWLNnFdk+d6CfnyyMbqv+1JlX8fHVMx4+ +hvAvhvmPWbaU3Zt2Goyd1uzYvfwtNHBjBHDygvEJEfg +-> zBsEU-grease spTl#x| +jK2dhVVwUINl6H+2neoAjrTmIHY5ayPQlUAZKdJpDHyIF+Gf1dCc2VqylTrQMhK4 +wJe+Bwcvk4s92nIRfqTl4A4 +--- urQ0EN70k4q/ZNTSt95DHpsrhIM9UR39dOX816MLcFk +ߖ:S3#38%}b \z<;0]`Xv񛌜Dx Ktz< :LL*Q \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/ward-web-proxy.pub b/secrets/wireguard/proxy-home/keys/ward-web-proxy.pub new file mode 100644 index 0000000..fe63ba0 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/ward-web-proxy.pub @@ -0,0 +1 @@ +HBOE43AOwpccH/e2337pti21iKzrEtO8oyLXUMVzHQk= diff --git a/secrets/wireguard/proxy-home/keys/ward.age b/secrets/wireguard/proxy-home/keys/ward.age new file mode 100644 index 0000000..0a7750a --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/ward.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 6TWmq3L5UXGTTKrgjQhj8Xe0RZfJo+XQ0w8ngrLjAzY ++z/9XdrqKejXvJx0w81TLqQwSxn+3Ul1B1jREjO1wuI +-> piv-p256 xqSe8Q A8/BCRMWX7YRm9lF6o0zW9uJ/YVwTSLojVGg9Lz4S031 +1n+2uCSHeq83UPc7qLxWUwknS2gNOWEoL9Y4+7n7gJY +-> K-grease )\Dl&j +pYUrWVDmNacpIA14gM7Ucp4Y4qYxKNqdfNvIR7hQJECuae2S +--- iS2EvPZPh73Zm6X79VRvEeNzBBxqeLBiuaJ0XKgEMaI +((@j3S,kV4@hgzEnƪۭʛ_GWuM.b%r/pU \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/keys/ward.pub b/secrets/wireguard/proxy-home/keys/ward.pub new file mode 100644 index 0000000..60380cf --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/ward.pub @@ -0,0 +1 @@ +s+Z3G/1gmemNd7GgvWgodWNSciRlWmUi7wCoiywd/Tc= diff --git a/secrets/wireguard/proxy-home/psks/sire-grafana+ward.age b/secrets/wireguard/proxy-home/psks/sire-grafana+ward.age new file mode 100644 index 0000000..0ab48b5 --- /dev/null +++ b/secrets/wireguard/proxy-home/psks/sire-grafana+ward.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 AOH3GXLMZjdgOSwXH8gRlil6HAxX903ZDfHuaNGaHXA +8NqugSGdD5bJsUzcA7x4et6mKR/VFvhb4ufcrzrGYmY +-> piv-p256 xqSe8Q A89eNTdb5orVU0/LcoHttKE0nXuaKmAaMek7Lz1CqKxZ +mWcA2Fg1b45GHr+ihtBLsEGQvgny6aJC/5X+DsfNjWs +-> <'-grease ZB-; +otJwM1DDzq+E7TVkQrg36V91Y7TxL6Ic2eWJ3fbZNBEz3wc +--- H2r1DxPHmPXIqyUzAebNBLNhkmM91W9Y9NVORENY48o +*:1#H. >':Ru9 ;< +ɯexfB!-^jջH%r \ No newline at end of file diff --git a/secrets/wireguard/proxy-home/psks/ward+ward-web-proxy.age b/secrets/wireguard/proxy-home/psks/ward+ward-web-proxy.age new file mode 100644 index 0000000..a03c259 --- /dev/null +++ b/secrets/wireguard/proxy-home/psks/ward+ward-web-proxy.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 4Pc4cxDkGJLio/xK07yBUmfu0XAC+6c4k4YAqw08338 +ZZ+aGb7tklVuZ5l+jd+lsnBn+eUdvXnQUOv2F5p3amg +-> piv-p256 xqSe8Q AndILF26ubv7WafOIZpeERT4hTCDetQV1uiZht4fjB4D +Os3uF+Re1ljLbDYZth3yVclek/7Y7z052phV8M4jRZw +-> >2r7LOM-grease fu[4)c +el9CM2uCv9d4G1LZDKJ/WHuGJU10kExbVRpKaTgqTp7MGGYgVYSRYMio +--- umzvoZllAfBEQ4R0o57IISDtkgJEfhfpOt399vQsz0w +Qr2?WӦ`W}k27qn۔K2D+!Y3+nˌc؛p^O] \ No newline at end of file