jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wireguard setup and works

Browse Source
This commit is contained in:
Danilo Reyes 2024-09-28 02:10:23 -06:00
parent 5b2c478cb4
commit 0e1ad747b4
5 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml
View File

@ -27,3 +27,10 @@ creation_rules:
- *workstation - *workstation
- *server - *server
- *miniserver - *miniserver
- path_regex: secrets/wireguard.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver

5
hosts/miniserver/configuration.nix
View File

@ -8,7 +8,10 @@
my = { my = {
emacs.enable = true; emacs.enable = true;
apps.dictionaries.enable = true; apps.dictionaries.enable = true;
services.network.enable = true; services = {
network.enable = true;
wireguard.enable = true;
};
enableProxy = true; enableProxy = true;
shell = { shell = {
tools.enable = true; tools.enable = true;

2
modules/services.nix
View File

@ -5,11 +5,13 @@
./services/nvidia.nix ./services/nvidia.nix
./services/printing.nix ./services/printing.nix
./services/sound.nix ./services/sound.nix
./services/wireguard.nix
]; ];
my.services = { my.services = {
network.enable = lib.mkDefault false; network.enable = lib.mkDefault false;
nvidia.enable = lib.mkDefault false; nvidia.enable = lib.mkDefault false;
printing.enable = lib.mkDefault false; printing.enable = lib.mkDefault false;
sound.enable = lib.mkDefault false; sound.enable = lib.mkDefault false;
wireguard.enable = lib.mkDefault false;
}; };
} }

40
modules/services/wireguard.nix Normal file
View File

@ -0,0 +1,40 @@
{
config,
lib,
pkgs,
...
}:
let
port = 51820;
in
{
options.my.services.wireguard.enable = lib.mkEnableOption "enable";
config = lib.mkIf config.my.services.wireguard.enable {
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
networking = {
firewall.allowedUDPPorts = [ port ];
nat = {
enable = true;
externalInterface = "enp2s0";
internalInterfaces = [ "wg0" ];
};
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = port;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wireguard/private".path;
peers = [
{
publicKey = "p9zdJPe4ZfCal6+6N1Vay0sCyFv53LbXevOqzJddE2c=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
};
}

50
secrets/wireguard.yaml Normal file
View File

@ -0,0 +1,50 @@
wireguard:
private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str]
public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTXplR3BHYzl1bmxuSzlW
ZVQvTlg2amFnMCtTKzRoZXNYaXBNcmRyWGhZCmpLT1NqbGRtUFpxUzlTMFdYemRJ
ZXF6c2dhOG9LbXVkczU0N1RVK1lqajAKLS0tIHFmQ0FrbVQ2QldiUS9oT2J2RkU0
N0pFQ095Uzdid2NmZXRVZ2l6N285bFUKG52XE8nf9GfESCfNfoP6L8GxLfvrihs4
CaZSkRzkuZUsfBND0B2BX/UlrjVHWPQCYMqqTtMpLXoRSmRsvWYCTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdWpKeU90cTV6blNZckt0
a2hpWms2b1ZuKzEwZUZFbEp0bFlPellVaHdVCkF5RENObjMvalJNc2FNYXk1UUxR
anE0SUI5ZWY5ZUlteVArSVN4T01DS2MKLS0tIEpDWDkzWm1mampQZDkwRCt5STVk
RHg4UklFQUp1KzFWRnpDOEIzRVJWZ2sKyS6bXtqJ3J7FrCyTa16Ithy2JS4HdkOg
NzTn/6RL+F61PLDGvEEa7Ypk/OGIjfJYxDQ5Sd9LODja47jIK5T6Aw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWZlTThKV1d5UEpJUVBE
SlFDMmFYSVREWXVvaDZYWk5TYXFRdTlpeVFZCnM4K3FYNk9hZ3R1K3c3Y0lURzZx
ZXdsWFNNSSt1VUtZdmRUUFdEK3BEdUkKLS0tIHB6ckZPMUkyM0ljK0RScWJSQlIz
UzVRQ3JzS1Q3N3EzTkhpNDZwZEtPbm8K0BzKOk9ljAnc5eydHfNha/QPfq9Eltfb
X/pNFkeW/b6FgLwo+3pc+NfgOFvpOuq7/bRWUCxGSJP/4w9+9q1a6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkV1Fsb3FMZGxGZ1A5dk9y
SllKMjZRby9KNzhVSUVpODh0MW1Ya1JzdzBjCjZmQUFoaCtTSS9ybE1hVjExaFVR
bWlKcFdlQmRIdEJrUE5jKzRlNFdQTVEKLS0tIEtMOW8xb2hLOGluMnVDaWxFMXQw
KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ
SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-28T08:01:15Z"
mac: ENC[AES256_GCM,data:z0p6P8kYCGqSAXrMnPqbM1ucRfBgjSlJQvHr4eElXSUKX3bWw5NIILWe7tOAVelCyIxcuTXAQQol6FInYyUfoR0L0mRgyNyV2AnaXpXGcHQ3V9bIPDpnP8OS9NMAIH4gUWKm347hbVnhd3otKyO+S/LvX2y9VT5WEUam01hBQzc=,iv:ucmFAi7RY9QzghmbADh4qPRtAEFCeHqXLJd/ccanVx8=,tag:eSN/Ck8ywWgaPVP6RSxmtA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1