From a6b590787977787e79bcbc38a49a9613940ca902 Mon Sep 17 00:00:00 2001 From: cy Date: Sat, 14 Dec 2024 18:21:46 -0500 Subject: [PATCH] make wireguard finally work --- nix/hosts/chunk/default.nix | 33 ++++++++++++++++++++++++--------- nix/hosts/chunk/secrets.yaml | 8 +++++--- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/nix/hosts/chunk/default.nix b/nix/hosts/chunk/default.nix index c5f1755..664b838 100644 --- a/nix/hosts/chunk/default.nix +++ b/nix/hosts/chunk/default.nix @@ -23,7 +23,8 @@ in { "vaultwarden" = { }; "caddy" = { }; "hedgedoc" = { }; - "wireguard" = { }; + "wireguard/private" = { }; + "wireguard/psk" = { }; }; boot.loader.grub.enable = true; @@ -37,6 +38,7 @@ in { enable = true; allowedTCPPorts = [ 22 80 443 53 853 ]; allowedUDPPorts = [ 443 51820 53 853 ]; # 51820 is wireguard + trustedInterfaces = [ "wg0" ]; }; networking.interfaces.ens18 = { ipv6.addresses = [{ @@ -48,6 +50,7 @@ in { address = "2a0f:85c1:840::1"; interface = "ens18"; }; + networking.nameservers = [ "127.0.0.1" "::1" ]; time.timeZone = "America/Toronto"; @@ -264,24 +267,36 @@ in { # wireguard stuff networking.nat = { enable = true; + enableIPv6 = true; externalInterface = "ens18"; internalInterfaces = [ "wg0" ]; }; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.100.0.1/24" ]; + networking.wg-quick.interfaces.wg0 = { + address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ]; listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard"; - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE + privateKeyFile = "/run/secrets/wireguard/private"; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE ''; peers = [ { publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; - allowedIPs = [ "10.100.0.2/32" ]; + allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; + presharedKeyFile = "/run/secrets/wireguard/psk"; } ]; }; diff --git a/nix/hosts/chunk/secrets.yaml b/nix/hosts/chunk/secrets.yaml index 1273952..08373d6 100644 --- a/nix/hosts/chunk/secrets.yaml +++ b/nix/hosts/chunk/secrets.yaml @@ -7,7 +7,9 @@ rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShY vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str] caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str] hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str] -wireguard: ENC[AES256_GCM,data:LHwiCi8pv4hLIJm0cumsZizcNeVkEFgQd0wRfUXcfA12C6rwuM8Uin0fPz4=,iv:aM1XvmWlZ0Ou6ZqyseOWg0Qet/l2sGRATMZE0LEmFuQ=,tag:ubFmef/XawLTbJHQy1kndA==,type:str] +wireguard: + private: ENC[AES256_GCM,data:jAarkXsz8ldGW+HHNeMNWOg/EIqKXQfPKwg+fbSEHSGTLoGHgihylYYK09U=,iv:6oAzkS5IZ/GWYv4JwBIprlN1EmquYffR+dtXyYiCm1g=,tag:DnC/uDNhj39CY6tsihdxDQ==,type:str] + psk: ENC[AES256_GCM,data:VyxJORdC1ulZP1jSeh8TTqI/RJYcjeJtsPrBtUGZlWHjNodrzXSkoilPD1g=,iv:q6PyTFVnb4QAM/OpnBY0DPIaido0KPW8UQ6nJlpVd0o=,tag:BMfhQKZmaN+kCjXS2tT6Sw==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/ sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-14T20:13:40Z" - mac: ENC[AES256_GCM,data:+o2SLvsCXP8pwQV3Aw0Xpc5qthzZGfp1/mQZFN5iSDInc990InyaBE+bcL7hEdhiN5IQOt+V+bqmqkFzoAK0oNolqyAJQ3NYg2WOOst1mwjKgqY+SFJG03waRSqAFG2mFE7k4KS0t703cEivZkKdvqFoKvO/d+iRcA3Jp6GKh7c=,iv:h1NbvgJBqCDc8OHTXr4uL6aPMD8cV7ayParQDA6LL4w=,tag:3F7P1iaOv77/CYHB+y1Mtg==,type:str] + lastmodified: "2024-12-14T23:09:54Z" + mac: ENC[AES256_GCM,data:517GJQuyb43wayiQ2nP/Tcyx7OBRshJ/XaWJql0fXqQG1oIN3qPperkv3ps58Z0p3XicEMllIfGiB8rXZnfJhCDGdlBr4+dhVXkgFoQzbElcWLq11Soy5nXm3txDGTMwrFYxx6DNJqaD0eKWtpyJzBpl8qGtdYG8QjXgYCpRJBc=,iv:L0A1+UdKifpv7GXWl3ixsk+WVEE3rL9eSIEQ0gpVr1A=,tag:SqJVFV4iHVTdpsxZUPXKHQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2