cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

make wireguard finally work on client

Browse source
This commit is contained in:
cy 2024-12-14 18:22:05 -05:00
parent a6b5907879
commit 0385a8c4ef
3 changed files with 27 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nix/hosts/ytnix/.sops.yaml
View file

@ -1,7 +1,7 @@
keys: keys:
- &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
creation_rules: creation_rules:
- path_regex: secrets/secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:
- *primary - *primary

40
nix/hosts/ytnix/default.nix
View file

@ -18,6 +18,8 @@
"borg/yt" = {}; "borg/yt" = {};
"azure" = {}; "azure" = {};
"ntfy" = {}; "ntfy" = {};
"wireguard/private" = {};
"wireguard/psk" = {};
}; };
boot = { boot = {
@ -34,7 +36,6 @@
networking = { networking = {
hostName = "ytnix"; hostName = "ytnix";
# nftables.enable = true;
wireless.iwd = { wireless.iwd = {
enable = true; enable = true;
settings = { settings = {
@ -50,10 +51,11 @@
dns = "none"; dns = "none";
wifi.backend = "iwd"; wifi.backend = "iwd";
}; };
nameservers = ["127.0.0.1" "::1"]; nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"];
resolvconf.enable = true; resolvconf.enable = true;
firewall = { firewall = {
trustedInterfaces = ["wgnord"]; allowedUDPPorts = [ 51820 ]; # for wireguard
trustedInterfaces = [ "wg0" ];
}; };
}; };
programs.nm-applet.enable = true; programs.nm-applet.enable = true;
@ -110,7 +112,6 @@
dnsutils dnsutils
age age
compsize compsize
wgnord
wireguard-tools wireguard-tools
traceroute traceroute
sops sops
@ -229,22 +230,6 @@
}; };
programs.virt-manager.enable = true; programs.virt-manager.enable = true;
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
services.usbmuxd.enable = true; services.usbmuxd.enable = true;
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
programs.evolution.enable = true; programs.evolution.enable = true;
@ -278,4 +263,19 @@
}; };
services.ollama.enable = true; services.ollama.enable = true;
# wireguard setup
networking.wg-quick.interfaces.wg0 = {
address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ];
privateKeyFile = "/run/secrets/wireguard/private";
peers = [
{
publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "31.59.129.225:51820";
persistentKeepalive = 25;
presharedKeyFile = "/run/secrets/wireguard/psk";
}
];
};
} }

9
nix/hosts/ytnix/secrets.yaml
View file

@ -4,6 +4,9 @@ restic:
azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str] azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str] azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str] ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
wireguard:
private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -19,8 +22,8 @@ sops:
a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q== ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-01T00:51:59Z" lastmodified: "2024-12-14T23:07:47Z"
mac: ENC[AES256_GCM,data:TYyfVAAxiScRb/KAwqaglr5OjYAfb6uPb3Tdwum1rN09NLzmr8T4W3PramKCgGdTemtjl5YYpBT2lRnKfsNMpzLwg3JHsLV/6JvzCMAHuVPzHHG4SfbAlEz1uLH1/UopxW1w2RAMKK8do9+aXviL/nmXT6gbHgIVCI07U3006Lw=,iv:gyYePlF0MBSU6yhLieV/q8Gw/LbSaZWD7ghAaTLWQmk=,tag:P1L0FaTCmxeFYM6tdzhJBA==,type:str] mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.2