diff --git a/.sops.yaml b/.sops.yaml index 1a20418..aa88f9f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,3 +27,10 @@ creation_rules: - *workstation - *server - *miniserver + - path_regex: secrets/wireguard.yaml$ + key_groups: + - age: + - *devkey + - *workstation + - *server + - *miniserver diff --git a/hosts/miniserver/configuration.nix b/hosts/miniserver/configuration.nix index 9734841..b9803e6 100644 --- a/hosts/miniserver/configuration.nix +++ b/hosts/miniserver/configuration.nix @@ -8,7 +8,10 @@ my = { emacs.enable = true; apps.dictionaries.enable = true; - services.network.enable = true; + services = { + network.enable = true; + wireguard.enable = true; + }; enableProxy = true; shell = { tools.enable = true; diff --git a/modules/services.nix b/modules/services.nix index b51fda4..a6e7b21 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -5,11 +5,13 @@ ./services/nvidia.nix ./services/printing.nix ./services/sound.nix + ./services/wireguard.nix ]; my.services = { network.enable = lib.mkDefault false; nvidia.enable = lib.mkDefault false; printing.enable = lib.mkDefault false; sound.enable = lib.mkDefault false; + wireguard.enable = lib.mkDefault false; }; } diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix new file mode 100644 index 0000000..b221259 --- /dev/null +++ b/modules/services/wireguard.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + pkgs, + ... +}: +let + port = 51820; +in +{ + options.my.services.wireguard.enable = lib.mkEnableOption "enable"; + config = lib.mkIf config.my.services.wireguard.enable { + sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml; + networking = { + firewall.allowedUDPPorts = [ port ]; + nat = { + enable = true; + externalInterface = "enp2s0"; + internalInterfaces = [ "wg0" ]; + }; + wireguard.interfaces.wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = port; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + privateKeyFile = config.sops.secrets."wireguard/private".path; + peers = [ + { + publicKey = "p9zdJPe4ZfCal6+6N1Vay0sCyFv53LbXevOqzJddE2c="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; +} diff --git a/secrets/wireguard.yaml b/secrets/wireguard.yaml new file mode 100644 index 0000000..a18508b --- /dev/null +++ b/secrets/wireguard.yaml @@ -0,0 +1,50 @@ +wireguard: + private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str] + public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTXplR3BHYzl1bmxuSzlW + ZVQvTlg2amFnMCtTKzRoZXNYaXBNcmRyWGhZCmpLT1NqbGRtUFpxUzlTMFdYemRJ + ZXF6c2dhOG9LbXVkczU0N1RVK1lqajAKLS0tIHFmQ0FrbVQ2QldiUS9oT2J2RkU0 + N0pFQ095Uzdid2NmZXRVZ2l6N285bFUKG52XE8nf9GfESCfNfoP6L8GxLfvrihs4 + CaZSkRzkuZUsfBND0B2BX/UlrjVHWPQCYMqqTtMpLXoRSmRsvWYCTA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdWpKeU90cTV6blNZckt0 + a2hpWms2b1ZuKzEwZUZFbEp0bFlPellVaHdVCkF5RENObjMvalJNc2FNYXk1UUxR + anE0SUI5ZWY5ZUlteVArSVN4T01DS2MKLS0tIEpDWDkzWm1mampQZDkwRCt5STVk + RHg4UklFQUp1KzFWRnpDOEIzRVJWZ2sKyS6bXtqJ3J7FrCyTa16Ithy2JS4HdkOg + NzTn/6RL+F61PLDGvEEa7Ypk/OGIjfJYxDQ5Sd9LODja47jIK5T6Aw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWZlTThKV1d5UEpJUVBE + SlFDMmFYSVREWXVvaDZYWk5TYXFRdTlpeVFZCnM4K3FYNk9hZ3R1K3c3Y0lURzZx + ZXdsWFNNSSt1VUtZdmRUUFdEK3BEdUkKLS0tIHB6ckZPMUkyM0ljK0RScWJSQlIz + UzVRQ3JzS1Q3N3EzTkhpNDZwZEtPbm8K0BzKOk9ljAnc5eydHfNha/QPfq9Eltfb + X/pNFkeW/b6FgLwo+3pc+NfgOFvpOuq7/bRWUCxGSJP/4w9+9q1a6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkV1Fsb3FMZGxGZ1A5dk9y + SllKMjZRby9KNzhVSUVpODh0MW1Ya1JzdzBjCjZmQUFoaCtTSS9ybE1hVjExaFVR + bWlKcFdlQmRIdEJrUE5jKzRlNFdQTVEKLS0tIEtMOW8xb2hLOGluMnVDaWxFMXQw + KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ + SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-28T08:01:15Z" + mac: ENC[AES256_GCM,data:z0p6P8kYCGqSAXrMnPqbM1ucRfBgjSlJQvHr4eElXSUKX3bWw5NIILWe7tOAVelCyIxcuTXAQQol6FInYyUfoR0L0mRgyNyV2AnaXpXGcHQ3V9bIPDpnP8OS9NMAIH4gUWKm347hbVnhd3otKyO+S/LvX2y9VT5WEUam01hBQzc=,iv:ucmFAi7RY9QzghmbADh4qPRtAEFCeHqXLJd/ccanVx8=,tag:eSN/Ck8ywWgaPVP6RSxmtA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1