cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

make wireguard finally work

Browse source
This commit is contained in:
cy 2024-12-14 18:21:46 -05:00
parent 63fca71c8c
commit a6b5907879
2 changed files with 29 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
nix/hosts/chunk/default.nix
View file

@ -23,7 +23,8 @@ in {
"vaultwarden" = { };
"caddy" = { };
"hedgedoc" = { };
"wireguard" = { };
"wireguard/private" = { };
"wireguard/psk" = { };
};
boot.loader.grub.enable = true;
@ -37,6 +38,7 @@ in {
enable = true;
allowedTCPPorts = [ 22 80 443 53 853 ];
allowedUDPPorts = [ 443 51820 53 853 ]; # 51820 is wireguard
trustedInterfaces = [ "wg0" ];
};
networking.interfaces.ens18 = {
ipv6.addresses = [{
@ -48,6 +50,7 @@ in {
address = "2a0f:85c1:840::1";
interface = "ens18";
};
networking.nameservers = [ "127.0.0.1" "::1" ];
time.timeZone = "America/Toronto";
@ -264,24 +267,36 @@ in {
# wireguard stuff
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
networking.wg-quick.interfaces.wg0 = {
address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
privateKeyFile = "/run/secrets/wireguard/private";
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
'';
peers = [
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = [ "10.100.0.2/32" ];
allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
presharedKeyFile = "/run/secrets/wireguard/psk";
}
];
};

8
nix/hosts/chunk/secrets.yaml
View file

@ -7,7 +7,9 @@ rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShY
vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
wireguard: ENC[AES256_GCM,data:LHwiCi8pv4hLIJm0cumsZizcNeVkEFgQd0wRfUXcfA12C6rwuM8Uin0fPz4=,iv:aM1XvmWlZ0Ou6ZqyseOWg0Qet/l2sGRATMZE0LEmFuQ=,tag:ubFmef/XawLTbJHQy1kndA==,type:str]
wireguard:
private: ENC[AES256_GCM,data:jAarkXsz8ldGW+HHNeMNWOg/EIqKXQfPKwg+fbSEHSGTLoGHgihylYYK09U=,iv:6oAzkS5IZ/GWYv4JwBIprlN1EmquYffR+dtXyYiCm1g=,tag:DnC/uDNhj39CY6tsihdxDQ==,type:str]
psk: ENC[AES256_GCM,data:VyxJORdC1ulZP1jSeh8TTqI/RJYcjeJtsPrBtUGZlWHjNodrzXSkoilPD1g=,iv:q6PyTFVnb4QAM/OpnBY0DPIaido0KPW8UQ6nJlpVd0o=,tag:BMfhQKZmaN+kCjXS2tT6Sw==,type:str]
sops:
kms: []
gcp_kms: []
@ -23,8 +25,8 @@ sops:
R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-14T20:13:40Z"
mac: ENC[AES256_GCM,data:+o2SLvsCXP8pwQV3Aw0Xpc5qthzZGfp1/mQZFN5iSDInc990InyaBE+bcL7hEdhiN5IQOt+V+bqmqkFzoAK0oNolqyAJQ3NYg2WOOst1mwjKgqY+SFJG03waRSqAFG2mFE7k4KS0t703cEivZkKdvqFoKvO/d+iRcA3Jp6GKh7c=,iv:h1NbvgJBqCDc8OHTXr4uL6aPMD8cV7ayParQDA6LL4w=,tag:3F7P1iaOv77/CYHB+y1Mtg==,type:str]
lastmodified: "2024-12-14T23:09:54Z"
mac: ENC[AES256_GCM,data:517GJQuyb43wayiQ2nP/Tcyx7OBRshJ/XaWJql0fXqQG1oIN3qPperkv3ps58Z0p3XicEMllIfGiB8rXZnfJhCDGdlBr4+dhVXkgFoQzbElcWLq11Soy5nXm3txDGTMwrFYxx6DNJqaD0eKWtpyJzBpl8qGtdYG8QjXgYCpRJBc=,iv:L0A1+UdKifpv7GXWl3ixsk+WVEE3rL9eSIEQ0gpVr1A=,tag:SqJVFV4iHVTdpsxZUPXKHQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2