jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
NixOS/hosts/linode/wireguard-linode.nix
Danilo Reyes 667b4c7a46 Refactor WireGuard secret paths for Linode configuration 
- Updated secret paths in wireguard-linode.nix and configuration.nix to use 'linode' instead of 'wireguard' for clarity and consistency.
- Adjusted private key file references in wireguard.nix to align with the new secret path structure.
2025-10-28 13:53:18 -06:00

77 lines
3.3 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
{
config = lib.mkIf config.my.services.wireguard.enable {
sops.secrets."linode/linode/private" = lib.mkIf config.my.secureHost {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = {
nat = {
enable = true;
externalInterface = config.my.interfaces.${config.networking.hostName};
internalInterfaces = [ "wg0" ];
};
firewall = {
allowedUDPPorts = [ 51820 ];
extraCommands = ''
iptables -I FORWARD 1 -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT
iptables -I FORWARD 2 -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP
iptables -I FORWARD 4 -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP
iptables -A FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
'';
extraStopCommands = ''
iptables -D FORWARD -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
'';
};
wireguard.interfaces.wg0 = {
ips = [
"${config.my.ips.wg-linode}/24"
"${config.my.ips.wg-friends}/24"
];
listenPort = 51820;
privateKeyFile =
if config.my.secureHost then
config.sops.secrets."linode/linode/private".path
else
"/var/lib/wireguard/private.key";
postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE";
postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE 2>/dev/null || true";
peers = [
{
publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
allowedIPs = [ "${config.my.ips.wg-server}/32" ];
}
{
publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
}
];
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
environment.systemPackages = [ pkgs.wireguard-tools ];
};
}
Reference in New Issue View Git Blame Copy Permalink