summaryrefslogtreecommitdiff
path: root/tw
diff options
context:
space:
mode:
Diffstat (limited to 'tw')
-rw-r--r--tw/services/files/wireguard/lap-fp4.psk.enc (renamed from tw/system/files/wireguard/lap-fp4.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lap-lud.psk.enc (renamed from tw/system/files/wireguard/lap-lud.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lap-pi3.psk.enc (renamed from tw/system/files/wireguard/lap-pi3.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lap-vin.psk.enc (renamed from tw/system/files/wireguard/lap-vin.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lap.key.enc (renamed from tw/system/files/wireguard/lap.key.enc)0
-rw-r--r--tw/services/files/wireguard/lud-fp4.psk.enc (renamed from tw/system/files/wireguard/lud-fp4.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lud-lap.psk.enc (renamed from tw/system/files/wireguard/lud-lap.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lud-pi3.psk.enc (renamed from tw/system/files/wireguard/lud-pi3.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lud-vin.psk.enc (renamed from tw/system/files/wireguard/lud-vin.psk.enc)0
-rw-r--r--tw/services/files/wireguard/lud.key.enc (renamed from tw/system/files/wireguard/lud.key.enc)0
-rw-r--r--tw/services/files/wireguard/vin-fp4.psk.enc (renamed from tw/system/files/wireguard/vin-fp4.psk.enc)0
-rw-r--r--tw/services/files/wireguard/vin-lap.psk.enc (renamed from tw/system/files/wireguard/vin-lap.psk.enc)0
-rw-r--r--tw/services/files/wireguard/vin-lud.psk.enc (renamed from tw/system/files/wireguard/vin-lud.psk.enc)0
-rw-r--r--tw/services/files/wireguard/vin-pi3.psk.enc (renamed from tw/system/files/wireguard/vin-pi3.psk.enc)0
-rw-r--r--tw/services/files/wireguard/vin.key.enc (renamed from tw/system/files/wireguard/vin.key.enc)0
-rw-r--r--tw/services/wireguard.scm86
-rw-r--r--tw/system/lap.scm20
-rw-r--r--tw/system/lud.scm17
-rw-r--r--tw/system/vin.scm17
19 files changed, 67 insertions, 73 deletions
diff --git a/tw/system/files/wireguard/lap-fp4.psk.enc b/tw/services/files/wireguard/lap-fp4.psk.enc
index 170235ce..170235ce 100644
--- a/tw/system/files/wireguard/lap-fp4.psk.enc
+++ b/tw/services/files/wireguard/lap-fp4.psk.enc
diff --git a/tw/system/files/wireguard/lap-lud.psk.enc b/tw/services/files/wireguard/lap-lud.psk.enc
index 15ba1599..15ba1599 100644
--- a/tw/system/files/wireguard/lap-lud.psk.enc
+++ b/tw/services/files/wireguard/lap-lud.psk.enc
diff --git a/tw/system/files/wireguard/lap-pi3.psk.enc b/tw/services/files/wireguard/lap-pi3.psk.enc
index 00d75345..00d75345 100644
--- a/tw/system/files/wireguard/lap-pi3.psk.enc
+++ b/tw/services/files/wireguard/lap-pi3.psk.enc
diff --git a/tw/system/files/wireguard/lap-vin.psk.enc b/tw/services/files/wireguard/lap-vin.psk.enc
index a335cc14..a335cc14 100644
--- a/tw/system/files/wireguard/lap-vin.psk.enc
+++ b/tw/services/files/wireguard/lap-vin.psk.enc
diff --git a/tw/system/files/wireguard/lap.key.enc b/tw/services/files/wireguard/lap.key.enc
index ce7bac3b..ce7bac3b 100644
--- a/tw/system/files/wireguard/lap.key.enc
+++ b/tw/services/files/wireguard/lap.key.enc
diff --git a/tw/system/files/wireguard/lud-fp4.psk.enc b/tw/services/files/wireguard/lud-fp4.psk.enc
index dedc8814..dedc8814 100644
--- a/tw/system/files/wireguard/lud-fp4.psk.enc
+++ b/tw/services/files/wireguard/lud-fp4.psk.enc
diff --git a/tw/system/files/wireguard/lud-lap.psk.enc b/tw/services/files/wireguard/lud-lap.psk.enc
index 91d1bb1a..91d1bb1a 100644
--- a/tw/system/files/wireguard/lud-lap.psk.enc
+++ b/tw/services/files/wireguard/lud-lap.psk.enc
diff --git a/tw/system/files/wireguard/lud-pi3.psk.enc b/tw/services/files/wireguard/lud-pi3.psk.enc
index 32b8097a..32b8097a 100644
--- a/tw/system/files/wireguard/lud-pi3.psk.enc
+++ b/tw/services/files/wireguard/lud-pi3.psk.enc
diff --git a/tw/system/files/wireguard/lud-vin.psk.enc b/tw/services/files/wireguard/lud-vin.psk.enc
index 693a886a..693a886a 100644
--- a/tw/system/files/wireguard/lud-vin.psk.enc
+++ b/tw/services/files/wireguard/lud-vin.psk.enc
diff --git a/tw/system/files/wireguard/lud.key.enc b/tw/services/files/wireguard/lud.key.enc
index 5001f4ce..5001f4ce 100644
--- a/tw/system/files/wireguard/lud.key.enc
+++ b/tw/services/files/wireguard/lud.key.enc
diff --git a/tw/system/files/wireguard/vin-fp4.psk.enc b/tw/services/files/wireguard/vin-fp4.psk.enc
index e636c35d..e636c35d 100644
--- a/tw/system/files/wireguard/vin-fp4.psk.enc
+++ b/tw/services/files/wireguard/vin-fp4.psk.enc
diff --git a/tw/system/files/wireguard/vin-lap.psk.enc b/tw/services/files/wireguard/vin-lap.psk.enc
index 6975348d..6975348d 100644
--- a/tw/system/files/wireguard/vin-lap.psk.enc
+++ b/tw/services/files/wireguard/vin-lap.psk.enc
diff --git a/tw/system/files/wireguard/vin-lud.psk.enc b/tw/services/files/wireguard/vin-lud.psk.enc
index ba725037..ba725037 100644
--- a/tw/system/files/wireguard/vin-lud.psk.enc
+++ b/tw/services/files/wireguard/vin-lud.psk.enc
diff --git a/tw/system/files/wireguard/vin-pi3.psk.enc b/tw/services/files/wireguard/vin-pi3.psk.enc
index e273896c..e273896c 100644
--- a/tw/system/files/wireguard/vin-pi3.psk.enc
+++ b/tw/services/files/wireguard/vin-pi3.psk.enc
diff --git a/tw/system/files/wireguard/vin.key.enc b/tw/services/files/wireguard/vin.key.enc
index 76b7bed2..76b7bed2 100644
--- a/tw/system/files/wireguard/vin.key.enc
+++ b/tw/services/files/wireguard/vin.key.enc
diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm
index 3d35cd2e..e975fe46 100644
--- a/tw/services/wireguard.scm
+++ b/tw/services/wireguard.scm
@@ -6,6 +6,10 @@
#:use-module (gnu services base)
#:use-module (gnu services configuration)
#:use-module (gnu services vpn)
+ #:use-module (guix gexp)
+ #:use-module ((guix records) #:select (match-record))
+ #:use-module ((guix utils) #:select (current-source-directory))
+ #:use-module (tw services secrets)
#:export (%wireguard-peers
tw-wireguard-configuration
tw-wireguard-service-type))
@@ -56,41 +60,76 @@
"The host name of the machine being configured.")
(peers
(wireguard-peers-list %wireguard-peers)
- "An alist of WireGuard peers to install."))
+ "An alist of WireGuard peers to install.")
+ (private-key-file
+ (string "/etc/wireguard/private.key")
+ "Where to store this host's private key."))
+
+(define (other-peers this-host peers)
+ (let ((own-peer (assoc-ref peers this-host)))
+ (delq own-peer (map cdr peers))))
(define (tw-wireguard-service config)
"Create a full WireGuard config from the personal network CONFIG."
- (let ((own-peer (assoc-ref (tw-wireguard-configuration-peers config)
- (tw-wireguard-configuration-this-host config))))
- (wireguard-configuration
- (addresses
- (map (lambda (cidr)
- (let ((ipv4 (string-match "/32$" cidr))
- (ipv6 (string-match "/128$" cidr)))
- (cond
- (ipv4 (regexp-substitute #f ipv4 'pre "/24"))
- (ipv6 (regexp-substitute #f ipv6 'pre "/64"))
- (#t cidr))))
- (wireguard-peer-allowed-ips own-peer)))
- (port
- (let ((endpoint (wireguard-peer-endpoint own-peer)))
+ (match-record config <tw-wireguard-configuration> (this-host peers private-key-file)
+ (match-record (assoc-ref peers this-host) (@@ (gnu services vpn) <wireguard-peer>) (endpoint allowed-ips)
+ (wireguard-configuration
+ (addresses
+ (map (lambda (cidr)
+ (let ((ipv4 (string-match "/32$" cidr))
+ (ipv6 (string-match "/128$" cidr)))
+ (cond
+ (ipv4 (regexp-substitute #f ipv4 'pre "/24"))
+ (ipv6 (regexp-substitute #f ipv6 'pre "/64"))
+ (#t cidr))))
+ allowed-ips))
+ (port
(if endpoint
(string->number (cadr (string-split endpoint #\:)))
- 58921)))
- (private-key "/etc/wireguard/private.key")
- (peers (delq own-peer (map cdr (tw-wireguard-configuration-peers config)))))))
+ 58921))
+ (private-key private-key-file)
+ (peers (other-peers this-host peers))))))
+
+(define (cut-string-at-char str char-pred)
+ "Return the first part of STR up to the first occurrence of CHAR-PRED."
+ (substring str 0 (string-index str char-pred)))
(define (peer->ips peer)
"Extract IP addresses assigned to the given `wireguard-peer' PEER."
- (map (compose car (cut string-split <> #\/))
+ (map (cut cut-string-at-char <> #\/)
(wireguard-peer-allowed-ips peer)))
(define (tw-wireguard-hosts config)
"Generate a hosts file entries from the personal WireGuard network CONFIG."
- (append-map (lambda (peer)
- (map (cut host <> (wireguard-peer-name peer))
- (peer->ips peer)))
- (map cdr (tw-wireguard-configuration-peers config))))
+ (define (peer->entries peer)
+ (map (cut host <> (wireguard-peer-name peer))
+ (peer->ips peer)))
+ (append-map (compose peer->entries cdr)
+ (tw-wireguard-configuration-peers config)))
+
+(define (tw-wireguard-secrets config)
+ "Install secrets for the host's private key and preshared keys with peers."
+ (define (local-file-here path)
+ (local-file
+ (canonicalize-path
+ (string-append
+ (current-source-directory) "/" path))))
+ (match-record config <tw-wireguard-configuration> (this-host peers private-key-file)
+ (define short-host (cut-string-at-char this-host #\.))
+ (define private-key
+ (secret
+ (encrypted-file
+ (local-file-here (string-append "files/wireguard/" short-host ".key.enc")))
+ (destination private-key-file)))
+ (define (peer->secret peer)
+ (let ((short-peer (cut-string-at-char (wireguard-peer-name peer) #\.)))
+ (secret
+ (encrypted-file
+ (local-file-here
+ (string-append "files/wireguard/" short-host "-" short-peer ".psk.enc")))
+ (destination
+ (string-append "/etc/wireguard/" short-peer ".psk")))))
+ (cons private-key (map peer->secret (other-peers this-host peers)))))
(define tw-wireguard-service-type
(service-type
@@ -98,6 +137,7 @@
(description "Set up my personal WireGuard network.")
(extensions
(cons* (service-extension hosts-service-type tw-wireguard-hosts)
+ (service-extension secrets-service-type tw-wireguard-secrets)
;; FIXME: `wireguard-service-type' cannot be extended, so copy its
;; service-extensions directly.
(map (lambda (ext)
diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index b6049ad3..f6e56116 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -447,26 +447,10 @@ EndSection
(list vin)
(list lud))))))
+ ;; Set up a secrets config for WireGuard to extend.
(service secrets-service-type
(secrets-configuration
- (host-key "/etc/secrets.key") ; we have no SSH host keys, so use a custom key
- (secrets
- (list
- (secret
- (encrypted-file (local-file "files/wireguard/lap.key.enc"))
- (destination "/etc/wireguard/private.key"))
- (secret
- (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc"))
- (destination "/etc/wireguard/fp4.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc"))
- (destination "/etc/wireguard/lud.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc"))
- (destination "/etc/wireguard/pi3.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc"))
- (destination "/etc/wireguard/vin.psk"))))))
+ (host-key "/etc/secrets.key"))) ; we have no SSH host keys, so use a custom key
(modify-services (append %system-channel-services %desktop-services)
;; Let sane find the airscan backend. ipp-usb needs to be running separately.
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 592b764b..82a3e43f 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -197,22 +197,7 @@ innodb_io_capacity = 4000
(destination "/etc/nextcloud-database-password.enc"))
(secret
(encrypted-file (local-file "files/restic/lud-nextcloud.enc"))
- (destination "/etc/restic/lud-nextcloud"))
- (secret
- (encrypted-file (local-file "files/wireguard/lud.key.enc"))
- (destination "/etc/wireguard/private.key"))
- (secret
- (encrypted-file (local-file "files/wireguard/lud-fp4.psk.enc"))
- (destination "/etc/wireguard/fp4.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lud-lap.psk.enc"))
- (destination "/etc/wireguard/lap.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lud-pi3.psk.enc"))
- (destination "/etc/wireguard/pi3.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/lud-vin.psk.enc"))
- (destination "/etc/wireguard/vin.psk"))))))
+ (destination "/etc/restic/lud-nextcloud"))))))
;; Only this server has SSDs, not vin.
(simple-service 'fstrim mcron-service-type
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index 75243e8d..65870e1f 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -161,22 +161,7 @@
(encrypted-file (local-file "files/restic/vin-grafana.enc"))
(destination "/etc/restic/vin-grafana")
(user "restic")
- (group "restic"))
- (secret
- (encrypted-file (local-file "files/wireguard/vin.key.enc"))
- (destination "/etc/wireguard/private.key"))
- (secret
- (encrypted-file (local-file "files/wireguard/vin-fp4.psk.enc"))
- (destination "/etc/wireguard/fp4.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/vin-lud.psk.enc"))
- (destination "/etc/wireguard/lud.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/vin-pi3.psk.enc"))
- (destination "/etc/wireguard/pi3.psk"))
- (secret
- (encrypted-file (local-file "files/wireguard/vin-lap.psk.enc"))
- (destination "/etc/wireguard/lap.psk"))))))
+ (group "restic"))))))
;; For running the Grafana docker container.
(service grafana-service-type
generated by cgit v1.2.3 (git 2.46.0) at 2024-09-19 21:48:55 +0000