ready for runners

2025-06-06 23:32:17 +02:00 · 2025-06-06 23:32:17 +02:00 · 7dd5043b5d
commit 7dd5043b5d
parent fc9971ddc9
49 changed files with 2569 additions and 1085 deletions
--- a/nixos/hosts/vpn/README.md
+++ b/nixos/hosts/vpn/README.md
@ -0,0 +1,127 @@
+Great question — and you're absolutely right to ask.
+
+You **don’t need** Innernet or Headscale+patch *if* you're comfortable building a small self-hosted portal that handles:
+
+* ✅ OIDC login
+* ✅ WireGuard peer key management
+* ✅ Config generation and download
+
+So let’s break it down:
+
+---
+
+## 🧩 Why *Innernet* and *Headscale+patch* Exist
+
+Those tools solve **user/device coordination**, dynamic routing, and access control *automatically*, **with batteries included**. They're great if you want a more managed, “plug-and-play” experience. Specifically:
+
+| Tool                     | Purpose                                                           |
+| ------------------------ | ----------------------------------------------------------------- |
+| **Innernet**             | Full WireGuard-based mesh + OIDC login + per-device management    |
+| **Headscale**            | Tailscale backend, enables user login + ACL + device coordination |
+| **Headscale+OIDC patch** | Add OIDC login to Headscale (by default, only pre-shared keys)    |
+
+These tools do things like:
+
+* Assign IPs/DNS names to users
+* Regenerate keys
+* Handle coordination between peers
+* Gate access with identity
+
+---
+
+## 🛠️ Why You *Don’t* Need Them (Your Custom Portal Idea)
+
+If you're fine with:
+
+* Managing WireGuard server and IPs manually
+* Writing a small web service to issue `.conf` files after login
+* Using firewall rules for access control
+
+Then you absolutely **can** build a custom system around **WireGuard + OIDC** like this:
+
+---
+
+### 🧱 Architecture: WireGuard + OIDC + Config Generator
+
+```
+                 ┌──────────────┐
+                 │ Your OIDC    │
+                 │ provider     │◄────── Google, Authentik, Keycloak
+                 └─────┬────────┘
+                       │
+                  (OIDC Login)
+                       │
+              ┌────────▼────────┐
+              │ Web Portal      │◄────── nginx + Go, Node.js, Flask, etc.
+              │ (self-hosted)   │
+              └──┬────────────┬─┘
+      Gen Keys  │            │ Serve config
+     & register │            └─────> `client.conf` / QR code
+                ▼
+      ┌──────────────────────┐
+      │ WireGuard server     │ (NixOS)
+      │ - Handles all peers  │
+      └──────────────────────┘
+```
+
+---
+
+### 🔐 What Your Portal Needs to Do
+
+* Authenticate via OIDC (OAuth2 flow)
+* Store a list of "authorized users"
+* When a user logs in:
+
+  * Check if they already have a WireGuard peer entry
+  * If not: generate a keypair, assign IP (e.g. `10.100.0.5`)
+  * Append to server config (`/etc/wireguard/wg0.conf`) or use `wg set`
+  * Return config file or QR code for the mobile client
+
+---
+
+## ✅ Benefits of This DIY Approach
+
+* 💡 Full control: you own every step
+* 🔐 OIDC is the gatekeeper (centrally managed access)
+* ⚡ No extra daemon/software overhead (just WireGuard + your app)
+* 🧩 Easily extensible (e.g., device limits, IP lease expiration)
+
+---
+
+## ⚙️ Tools You Can Use
+
+| Purpose                | Tools                                                                      |
+| ---------------------- | -------------------------------------------------------------------------- |
+| OIDC Auth              | [Dex](https://github.com/dexidp/dex), Keycloak, Authentik, or Firebase     |
+| Web Portal Backend     | Node.js (Express), Go, Flask, FastAPI                                      |
+| Config Template Engine | Go templates, EJS, Jinja2                                                  |
+| WireGuard Integration  | `wg`, `wg-quick`, or directly edit `wg0.conf`                              |
+| NixOS Support          | Use `networking.wireguard.interfaces.wg0.peers` to declaratively add peers |
+
+---
+
+## 🧪 Bonus Features You Could Build
+
+* 🔐 Per-user firewall rules
+* 🔁 One-time config URLs (`vpn.mydomain.com/invite/xyz`)
+* 🔐 Optional Authelia/Keycloak MFA
+* 📉 Dashboard with currently active peers (use `wg show`)
+
+---
+
+## ✨ Summary
+
+| Option            | You Need Innernet / Headscale? | Login via OIDC? | DNS Routing? | Complexity |
+| ----------------- | ------------------------------ | --------------- | ------------ | ---------- |
+| Your own portal   | ❌ No                           | ✅ Yes           | ❌ Manual     | 🟡 Medium  |
+| Innernet          | ✅ Yes                          | ✅ Yes           | ✅ Built-in   | 🟠 Medium  |
+| Headscale + patch | ✅ Yes                          | ✅ Yes           | ✅ Built-in   | 🔴 High    |
+
+You’re on a great path by choosing the custom VPN portal idea.
+Let me know if you'd like:
+
+* A **sample architecture repo**
+* A **NixOS module to support peer configs**
+* Help building the **login + config generator backend**
+
+I can generate a Nix flake and a working OIDC portal template to kickstart the project.