wireguard: added configuration
This commit is contained in:
parent
a2e3d507f9
commit
cd96add85a
|
@ -15,5 +15,6 @@ in
|
||||||
stubby.enable = mkEnableOption "stubby";
|
stubby.enable = mkEnableOption "stubby";
|
||||||
jellyfin.enable = mkEnableOption "jellyfin";
|
jellyfin.enable = mkEnableOption "jellyfin";
|
||||||
rust-motd.enable = mkEnableOption "rust-motd";
|
rust-motd.enable = mkEnableOption "rust-motd";
|
||||||
|
wireguard.enable = mkEnableOption "wireguard";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,10 +45,11 @@
|
||||||
samba.enable = true;
|
samba.enable = true;
|
||||||
nextcloud.enable = true;
|
nextcloud.enable = true;
|
||||||
syncthing.enable = true;
|
syncthing.enable = true;
|
||||||
openvpn.enable = true;
|
openvpn.enable = false;
|
||||||
stubby.enable = true;
|
stubby.enable = true;
|
||||||
jellyfin.enable = true;
|
jellyfin.enable = true;
|
||||||
rust-motd.enable = true;
|
rust-motd.enable = true;
|
||||||
|
wireguard.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
25
secrets/wireguard.yaml
Normal file
25
secrets/wireguard.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
wireguard:
|
||||||
|
private_keys:
|
||||||
|
server: ENC[AES256_GCM,data:YMk7ovSiX+vWsTEw1pwVLnLXTxFZwNbAlc9jdOamMJ3RwRePI1gpocg6ygQ=,iv:KteQl87XR6qs8uGX6v5AcSkl/X9/U5HvsDTqQx5ewCc=,tag:bERlujgiMOCfU9PzgFyUaQ==,type:str]
|
||||||
|
laptop: ENC[AES256_GCM,data:IuXyPe8WoiJ5eU4YCurSIQm9KfnM7isu3lgMuEnwDUDBG6YVtQxaEe2DAa4=,iv:leaYu6Wn/SanZp9//6/ssiFcUq2Z2lIrTP+NkXgdjZ8=,tag:7eSmYjs+y7qnnqfZMFZWfg==,type:str]
|
||||||
|
phone: ENC[AES256_GCM,data:n/RpqkgQ8NsuPf/K4aWhkxKlJ7KQJ3ogy+sihS/BeU5/NlrqTC7Qc7SJzdU=,iv:oZCTSnSl4IYQEBM514e6dn+HqyBK5IoHjPJ2l2ekBps=,tag:Ld1TzK/65kHkaW9qnvWmlQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ODgrS1Y1dERLWWFEYTBY
|
||||||
|
Ti9zTWYwdlBhVlJIM3hLVUt4TzdmRUZTakRjCkVMOEhQbHBua0JNRVNGbEJJZ2hW
|
||||||
|
RDhRYzhKWFlDTjJwS0ZCRzA1RFBtY1EKLS0tIGJGcCszd1VaM1NMdnRuazgzT3ox
|
||||||
|
U3MwaXpzNjZMdjY2UFhOM3dmdUdXdXcKp+1e2vPXL9xoNzepobH8Z23YaAxmOV44
|
||||||
|
9KYdsjudhLSSbQvVpvSca++WChWlMNHNq+5PgLy7uinP5lOocQUajQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-23T12:13:05Z"
|
||||||
|
mac: ENC[AES256_GCM,data:DaLwpgmaRkiNM4AjbDxf2fH8dbGZ8DKx8rAoyJNnvTVlO4bKt31/yMGeCH6VW0SC0RApRc8NrBgdH3uYHAsSxDlwj/eXXVDAPrjjAhXTmABPGXLtMIK0LYhfq4nu5d5zsIaV1vrAsAmjcSm35FrttYsPMpL7V00Ah3pOlo6UCSA=,iv:qZlM2cgeWSWSKEVZJzojOk4cCWeG3GHD9axwi2WSeFQ=,tag:pbUwOBytwNuFmABuICYa9Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -12,5 +12,6 @@
|
||||||
./samba.nix
|
./samba.nix
|
||||||
./stubby.nix
|
./stubby.nix
|
||||||
./syncthing.nix
|
./syncthing.nix
|
||||||
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -73,6 +73,11 @@ in
|
||||||
id = "OpenVPN";
|
id = "OpenVPN";
|
||||||
devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices;
|
devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices;
|
||||||
};
|
};
|
||||||
|
"/nas/Syncthing/Sync/WireGuard" = {
|
||||||
|
label = "WireGuard";
|
||||||
|
id = "WireGuard";
|
||||||
|
devices = lib.attrsets.mapAttrsToList (key: _value: key) config.services.syncthing.settings.devices;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
devices = {
|
devices = {
|
||||||
s20fe = {
|
s20fe = {
|
||||||
|
|
114
system/services/wireguard.nix
Normal file
114
system/services/wireguard.nix
Normal file
|
@ -0,0 +1,114 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.services.wireguard;
|
||||||
|
externalInterface = config.profile.networking.externalInterface;
|
||||||
|
devices = [
|
||||||
|
{
|
||||||
|
name = "phone";
|
||||||
|
ip = "10.100.0.2";
|
||||||
|
secret = "wireguard/private_keys/phone";
|
||||||
|
publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "laptop";
|
||||||
|
ip = "10.100.0.3";
|
||||||
|
secret = "wireguard/private_keys/laptop";
|
||||||
|
publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
|
||||||
|
sopsFile = ../../secrets/wireguard.yaml;
|
||||||
|
inherit (lib) mkIf mergeAttrsList generators;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
sops.secrets = mergeAttrsList ([
|
||||||
|
{
|
||||||
|
"wireguard/private_keys/server" = { inherit sopsFile; };
|
||||||
|
}
|
||||||
|
] ++
|
||||||
|
(map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)
|
||||||
|
);
|
||||||
|
|
||||||
|
sops.templates =
|
||||||
|
let
|
||||||
|
template = { privateKey, ip }:
|
||||||
|
# ''
|
||||||
|
# [Interface]
|
||||||
|
# Address = ${ip}/32
|
||||||
|
# PrivateKey = ${privateKey}
|
||||||
|
# DNS = 192.168.100.3
|
||||||
|
#
|
||||||
|
# [Peer]
|
||||||
|
# PublicKey = ${serverPublicKey}
|
||||||
|
# Endpoint = vpn.tigor.web.id:51820
|
||||||
|
# AllowedIPs = 0.0.0.0/0, ::/0
|
||||||
|
# '';
|
||||||
|
generators.toINI ({ }) {
|
||||||
|
Interface = {
|
||||||
|
Address = "${ip}/32";
|
||||||
|
PrivateKey = privateKey;
|
||||||
|
DNS = "192.168.100.3";
|
||||||
|
};
|
||||||
|
|
||||||
|
Peer = {
|
||||||
|
PublicKey = serverPublicKey;
|
||||||
|
Endpoint = "vpn.tigor.web.id:51820";
|
||||||
|
AllowedIPs = "0.0.0.0/0, ::/0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
mergeAttrsList (map
|
||||||
|
(device: {
|
||||||
|
"wireguard/clients/${device.name}" = {
|
||||||
|
content = template {
|
||||||
|
privateKey = config.sops.placeholder.${device.secret};
|
||||||
|
ip = device.ip;
|
||||||
|
};
|
||||||
|
path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
|
||||||
|
owner = config.profile.user.name;
|
||||||
|
};
|
||||||
|
})
|
||||||
|
devices
|
||||||
|
);
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
inherit externalInterface;
|
||||||
|
internalInterfaces = [ "wg0" ];
|
||||||
|
};
|
||||||
|
firewall.allowedUDPPorts = [ 51820 ];
|
||||||
|
|
||||||
|
wireguard.interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||||
|
ips = [ "10.100.0.1/16" ];
|
||||||
|
|
||||||
|
# The port that WireGuard listens to. Must be accessible by the client.
|
||||||
|
listenPort = 51820;
|
||||||
|
|
||||||
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||||
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# This undoes the above command
|
||||||
|
postShutdown = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;
|
||||||
|
|
||||||
|
peers = map
|
||||||
|
(device: {
|
||||||
|
publicKey = device.publicKey;
|
||||||
|
allowedIPs = [ device.ip ];
|
||||||
|
})
|
||||||
|
devices;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue