diff --git a/.gitignore b/.gitignore index e8bbc8a..778b13f 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ first-boot.sh guix-commit.txt id_ed25519 id_ed25519.pub +id_wireguard index.html install-sh Makefile @@ -17,3 +18,4 @@ missing mumble-vm-machine.scm mumble-vm-system.scm signing-key.pub +wireguard-post-up.sh diff --git a/Makefile.am b/Makefile.am index 47d43cf..447bd10 100644 --- a/Makefile.am +++ b/Makefile.am @@ -16,7 +16,8 @@ CLEANFILES = \ index.html \ mumble-vm.img \ mumble-vm-machine.scm \ - mumble-vm-system.scm + mumble-vm-system.scm \ + wireguard-post-up.sh # We want to only update the image when guix commit changes. The trick # to make that work is to only create or update a file when the revision @@ -53,7 +54,8 @@ IMAGE_SOURCE = \ mumble-vm-system.scm \ id_ed25519.pub \ Makefile \ - signing-key.pub + signing-key.pub \ + wireguard-post-up.sh mumble-vm.img: $(IMAGE_SOURCE) sudo install \ diff --git a/mumble-vm-system.scm.tmpl b/mumble-vm-system.scm.tmpl index faf8a40..29c2e2f 100644 --- a/mumble-vm-system.scm.tmpl +++ b/mumble-vm-system.scm.tmpl @@ -19,6 +19,7 @@ #:use-module (gnu services certbot) #:use-module (gnu services ssh) #:use-module (gnu services telephony) + #:use-module (gnu services vpn) #:use-module (gnu services web) #:use-module (guix build-system copy) #:use-module (guix build-system gnu) @@ -70,6 +71,32 @@ the services after that.") (home-page #f) (license license:gpl3+))) +(define wireguard-post-up-fixups + (package + (name "wireguard-post-up-fixups") + (version "0.1") + (source (local-file "wireguard-post-up.sh" )) + (build-system gnu-build-system) + (arguments + (list #:tests? #f ;no tests + #:phases + #~(modify-phases + %standard-phases + (delete 'build) + (delete 'configure) + (replace 'install + (lambda _ + (chmod "wireguard-post-up.sh" #o755) + (install-file + "wireguard-post-up.sh" + (string-append (string-append #$output "/bin")))))))) + (synopsis "Script to fixup the Wireguard interface(s).") + (description + "Currently, the wireguard-post-up.sh script sets up the interface + MTU.") + (home-page #f) + (license license:gpl3+))) + (define-public %nginx-deploy-hook (program-file "nginx-deploy-hook" @@ -82,6 +109,9 @@ the services after that.") (kill nginx-pid SIGHUP) (kill mumble-server-pid SIGUSR1)))))) +(define-public %wireguard-post-up + (list "/run/current-system/profile/bin/wireguard-post-up.sh")) + (define mumble-vm-operating-system (operating-system (bootloader (bootloader-configuration @@ -107,7 +137,8 @@ the services after that.") net-tools nmon openssh-sans-x - website) + website + wireguard-post-up-fixups) %base-packages)) (services (append @@ -195,7 +226,22 @@ https://DOMAIN/ `(("root" , (local-file "id_ed25519.pub")) ("gnutoo" ,(local-file "id_ed25519.pub")))))) ;; Unattended Upgrades - (service unattended-upgrade-service-type)) + (service unattended-upgrade-service-type) + (service wireguard-service-type + (wireguard-configuration + (addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128")) + (dns '("79.143.250.1" "79.143.250.2" + "2001:678:938::53:1" "2001:678:938::53:2")) + (port 0) + (post-up %wireguard-post-up) + (private-key (local-file "id_wireguard")) + (peers + (list + (wireguard-peer + (name "stephanie.franciliens.net") + (endpoint "stephanie.franciliens.net:51820") + (public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=") + (allowed-ips '("0.0.0.0/0" "::/0")))))))) (modify-services %base-services (guix-service-type config => (guix-configuration diff --git a/wireguard-post-up.sh.tmpl b/wireguard-post-up.sh.tmpl new file mode 100644 index 0000000..e880372 --- /dev/null +++ b/wireguard-post-up.sh.tmpl @@ -0,0 +1,14 @@ +#!/bin/sh +# +# Copyright (C) 2023 Denis 'GNUtoo' Carikli +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . +set -e + +ip link set dev wg0 mtu 1380