feat[server]: add firezone

2026-04-14 21:29:12 +02:00 · 2026-01-01 02:30:10 +01:00 · 2026-01-01 02:30:10 +01:00 · 4da9291223
commit 4da9291223
parent c8f7739326
69 changed files with 2415 additions and 1132 deletions
--- a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
@ -1,4 +1,4 @@
-{ self, lib, minimal, ... }:
+{ self, config, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
@ -12,6 +12,8 @@
    icon = "devices.cloud-server";
  };

+  globals.general.webProxy = config.node.name;
+
  swarselsystems = {
    flakePath = "/root/.dotfiles";
    info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
@ -27,7 +29,6 @@
    server = {
      wireguard.interfaces = {
        wgProxy = {
-          # ifName = "wg";
          isServer = true;
          peers = [
            "moonside"
@ -47,8 +48,16 @@
  swarselmodules.server = {
    nginx = true;
    oauth2-proxy = true;
-    dns-hostrecord = true;
    wireguard = true;
+    firezone = true;
+  };
+
+  networking.nftables = {
+    firewall.zones.untrusted.interfaces = [ "lan" ];
+    chains.forward.dnat = {
+      after = [ "conntrack" ];
+      rules = [ "ct status dnat accept" ];
+    };
  };

 }
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:UKXEKxP1SDqQWktd3eQzkoqsk6k3m9Rj+JNk3xmdZmp5p+pXnY+uDltSIL2PTsOy7wtf4gp16jze1PhHvYojuN2nnou/D1KJALPHBgGiR8CgBlbX5nrCbtHrs4SZq+M7QihRV8lsG8gU0aIm0lDO83cJ0boUfnZdexDPjcuhYJj5nmgOG1bV60LOJNg7yn//hlVhovrf7ygXOk9HirDMmK9MVkKw5utD7iE4Cm7txrK1z9rQLJYM3kzwsWJAGkIc/IbI4Css10ScNK9VMKU4B596Dv2eCHvSIUJ8Y8AJrE/1+jp8XQW4aUMcFsbKpwjL2mOm0DSFupr/D60vJ1j5ovEIT4Vt51H4cpcBduBUCHoRZ1S/fZePxYaPunEI9lJVSQeANGevqXmvd8SSpO8YFN2S06CsFcx8hadQpq79uD7hm4tZzNUFOm2fytY9WMl0YWlSM4g3U30tKVVo+RMmm43oMaStOiyXUyohXjKY5QJqI+rJRRifKUhfze4Z4aGn,iv:nOU57gwkc3hld/+IqqHYtEiJYXzOFwTaG6cNEl7ZNHk=,tag:kRp580c9haQSQmOw2hBvrw==,type:str]",
+	"data": "ENC[AES256_GCM,data:mQPfK2Dh2ACae0a+1GRHY/CV0JpHH8JO+td+RR17UXyq5v/OF6YDfS7loIpQvImEAs6AvIzIdyq0848Fh/34kh/K2ZAq4AknW9jQx5YyP4nbk8/q1/dk+95c0u98WnN6mw3BFHHesKYCfGy82GMnu00Ffxu7WSYzTKxq6yvROS7ugefRjsoMsuJcEeHmoIBgEIjXntGT4DxJjw4RhWPm+unSmce9SXfqbAuuizHm/S5URYvicIzalSITlfFBrpKWNxNe9fC2etDb/fB+uMpG28rmB98ov1W0X/W3JOUhASXVhB+YCau8XdIRPopEnkR4Wm1HD+exJ3CToJMgrdmv5Cj9rJoFI0jvApRpjBix5qDrTsbn3iWbv/QYuCnL8ulXY7nYtkmFjFCG3fLZ5G+6EVE+bZnh2V8KYAVM9moehNJ9Or4kGST5JWnIizFvAeeYef0xZtBMwv36Yc1JNAh3zlHP26lcXew+Ulxxcv07RmmV52jZMfWweyg4nXNumrbmy/GwingIhqN8wHrOD3Tu0HlvqmX5C5YRZg5iVU4lnAjKJc6XRn7B1GQzKeyE9HKagkrULQKGmqDlqEvEAp/9eW+rTR2Yho1QStK7J2RXFnWwpE4PH3cIfHWtwIv67yw+QWqj+lXMztHaX3RIRXGLyqnWtaLjMG+IIYytzaBt,iv:djDts0mzoVU6Cvf8KJb01CkHO+OrnIJyMhTfgJ8lZEE=,tag:JiZ2t5cBfSAKG0b1wAZCZA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-22T01:24:25Z",
-		"mac": "ENC[AES256_GCM,data:NtGHAadNGMfyCOqiaE/XRZqu4CnQ1IujgI3/IraY6E3luqzFVxJk/CgWD2rjbhLmaL7hd3Tay2LjL5uFxzM7kAE9QaaZtcxYKbudhznUdi/UEZ2ZtqyXqafXfCjEVbETaTAP3YGmQwJ/kAMj+FZp9yx7d6B8SVqWu1PatJGsOIA=,iv:OW6Xsr2MmEJq70TnEIJFgwLi3iMmKFV2Fy05a5G6Ibw=,tag:8KtNH6tEj/rQoht7FRDN3Q==,type:str]",
+		"lastmodified": "2025-12-30T14:45:29Z",
+		"mac": "ENC[AES256_GCM,data:/hfp7IopUWZSMequVWcpMup9lM/e5G3Qda+8zz8ecPMdMrbUqpzi43QAbiTvMC1Wa2DKWFOsZPilClJQfG0MMEYD4GWehd2C5psK5HOxS3h9pjE/AjctaCwu8RB71paK940W6NY8sCjOi+zm+Az4KDwkOl0R3ApaUMofV4hsg6M=,iv:d5Zy4HXtoSfRN4E0FHjT2vIWMY8k3G422ygVAZ7gXrc=,tag:a6UZVjb9kTj+8FZG1FIyrg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml
@ -7,6 +7,15 @@ wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7K
 #ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
 oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
 kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
+#ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment]
+kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str]
+#ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment]
+firezone-relay-token: ENC[AES256_GCM,data:QLQ444ocvL1yjXXslo6YzdPUasdt58Qztf6yv4UHh0AZtMVuOcDmUUXdI9Qz0i0J34zGbtcPw/Ac9CzxnF5sRj9v1D6RkfHf642vo2JxcnG+LExHzUFNEhTAXqgLvfdQhi89hQTjSfc/+ryDyf16tTJklX40VitqYLtTEW9CHSHhKrVr7Gx9u5qw1+j0voQbJEs/ojBwsnzNQ4Z7FJgWLBw9FMOQg9sap28m6fBFJNnUGaK2vIUQ1qPXQWyX1YTh6xd0nq/jyB9ctqQczYftgd+wkaEiyMjQJkNk22W/6P1M3biV4L52H7WVVhptB8yWa7TZUXD6GFi3cMTXhn0NhM5FsCJhXeGcnzNmBs8=,iv:RdVXYof5cSMM0WTAoh8SO3jTWyR+XTNmK0U4ezHu76g=,tag:nSw7ykFPYuHq/klTwlNpSQ==,type:str]
+firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str]
+#ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment]
+firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str]
+#ENC[AES256_GCM,data:xZvu7VeZ8IVeiR94gfJR1BB34V1z8ou+YKRrIxlK+qJ8idgzEKXRiWCcdwC345UNIEuVShI8CT7+Bno9c2bllkkKwW4RhSEnMOYo3g+iouKB3p2iwRBX+OEZuWbpoZGDr1KpHLP+ypiTekNOAZgx4EmxQWFL78bBMswoPn/Tv5ahN1Gha75A9iO7nNQgjRIn62s4l+U1cMXDBBKUCIwcfg==,iv:V7G6wGFjSoKNGNuwW4i2U8+zKI8AQm+ATbSLls7688s=,tag:jQqxbMGaJ96fHvPj5Y0CTw==,type:comment]
+#ENC[AES256_GCM,data:td0zw1WORHtMvBO7IK06Of1PoG1QTMiDeJ8KSa4LpLrIgOPTdIg9TkU7UYPNxFD1bVGpU708Rs8Skmyz0v4y9S9H6PM9+4fVij5GN6uaLH/pfMXzaArD8SHbppYQGgpVqsq4kJ+sk02yAjvEM4BBfTpOEPgnu1CSmwlyjw0ysrCwq5YLOYqAQa9rT9uiVCL3FYWuuUzh7SPuRaZouGX2m/MdtQ==,iv:uetwzIK53P3ja94Jw/QDnrel61ducf907mZwB1yy6cQ=,tag:89IjmIvEQs7ayBmuvw3RFQ==,type:comment]
 sops:
    age:
        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
@ -18,8 +27,8 @@ sops:
            NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
            ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-04T19:12:20Z"
-    mac: ENC[AES256_GCM,data:WAAHE40CAJgdT1tMYBBuFeSqaziHOvpUKrBlfycHvpXhPZ4Oa8sDElpc1lxp1VY2AVeLkqeAB7bH/HVQYGVJhxbfSVHAXm0kCQTT7yNLW8x7RK8RlwzGq9jDfng5UoA46kP2GWyGbicnaUzaH6gnF0Os3rqAMMhTg8pme7pUVwg=,iv:vJ+XFfGMwmIlgJ9ZSu/+kow4dhVsY5aeB0jPjL4TIpk=,tag:mBZzL2JGFPwIx8hNM09hEw==,type:str]
+    lastmodified: "2025-12-31T22:00:22Z"
+    mac: ENC[AES256_GCM,data:wGGou+Jx0BV3fMI8gF3HL6VW05lz4CSBvjQF8WSbIHoykor4uthR0TN4ndanU3ZPjhU+NRNxIxTs2cFGJOH4YMIG6bGH0WIoFIfw3xkSIT/zAmfK33P7AUV8/vA45TZli5VHf6S/4CUqXfN91qezrMUiUVr+AEeqa/hbOMBO3j8=,iv:TRc4ci8KRF3ZHuqtafqP0AaRMHMlqnhB1psGbuL4zms=,tag:aTFxdF5qpkGEYvwwj7Q4SQ==,type:str]
    pgp:
        - created_at: "2025-12-01T23:06:35Z"
          enc: |-