56 lines
1.4 KiB
Nix
56 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
wgInterface = "wg0";
|
|
wgWorkstationIp = config.my.ips.wg-workstation;
|
|
in
|
|
{
|
|
networking = {
|
|
wireguard.interfaces.${wgInterface} = lib.mkIf config.my.secureHost {
|
|
ips = [ "${wgWorkstationIp}/32" ];
|
|
privateKeyFile = config.sops.secrets."workstation/private".path;
|
|
peers = [
|
|
{
|
|
publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
|
|
endpoint = "${config.my.ips.vps}:51820";
|
|
persistentKeepalive = 25;
|
|
allowedIPs = [
|
|
"${config.my.ips.wg-vps}/32"
|
|
config.my.subnets.wg-homelab
|
|
];
|
|
}
|
|
];
|
|
};
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
config.my.ports.nsUsbloader
|
|
config.my.ports.syncthingGui
|
|
];
|
|
allowedTCPPortRanges = [
|
|
{
|
|
from = 1714;
|
|
to = 1764;
|
|
}
|
|
];
|
|
interfaces.${wgInterface}.allowedTCPPorts = [
|
|
config.services.ollama.port
|
|
config.services.open-webui.port
|
|
config.services.sillytavern.port
|
|
config.my.ports.comfyui
|
|
];
|
|
};
|
|
nftables.tables.wg-local-redirect = {
|
|
family = "ip";
|
|
content = ''
|
|
chain prerouting {
|
|
type nat hook prerouting priority dstnat;
|
|
iifname "${wgInterface}" ip daddr ${wgWorkstationIp}/32 tcp dport ${toString config.my.ports.sillytavern} redirect to :${toString config.my.ports.sillytavern}
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
}
|