cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

configure wireguard

Browse source
This commit is contained in:
cy 2024-12-14 16:19:04 -05:00
parent 5b0d0fdf18
commit b04abf8e35
4 changed files with 34 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nix/hosts/chunk/.sops.yaml
View file

@ -1,7 +1,7 @@
keys: keys:
- &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn - &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
creation_rules: creation_rules:
- path_regex: secrets/secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:
- *primary - *primary

2
nix/hosts/chunk/Caddyfile
View file

@ -30,7 +30,7 @@ pass.cy7.sh {
reverse_proxy localhost:8081 reverse_proxy localhost:8081
} }
dns.cy7.sh { dns.cything.io {
reverse_proxy localhost:8082 reverse_proxy localhost:8082
} }

34
nix/hosts/chunk/default.nix
View file

@ -23,6 +23,7 @@ in {
"vaultwarden" = { }; "vaultwarden" = { };
"caddy" = { }; "caddy" = { };
"hedgedoc" = { }; "hedgedoc" = { };
"wireguard" = { };
}; };
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -32,14 +33,10 @@ in {
networking.hostName = "chunk"; networking.hostName = "chunk";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.nftables.enable = true;
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 22 80 443 ]; allowedTCPPorts = [ 22 80 443 53 853 ];
allowedUDPPorts = [ 443 ]; allowedUDPPorts = [ 443 51820 53 853 ]; # 51820 is wireguard
extraInputRules = ''
ip saddr 172.18.0.0/16 tcp dport 5432 accept
'';
}; };
networking.interfaces.ens18 = { networking.interfaces.ens18 = {
ipv6.addresses = [{ ipv6.addresses = [{
@ -263,5 +260,30 @@ in {
REDLIB_ROBOTS_DISABLE_INDEXING = "on"; REDLIB_ROBOTS_DISABLE_INDEXING = "on";
}; };
}; };
# wireguard stuff
networking.nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
'';
peers = [
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
} }

7
nix/hosts/chunk/secrets.yaml
View file

@ -7,6 +7,7 @@ rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShY
vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str] vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str] caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str] hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
wireguard: ENC[AES256_GCM,data:LHwiCi8pv4hLIJm0cumsZizcNeVkEFgQd0wRfUXcfA12C6rwuM8Uin0fPz4=,iv:aM1XvmWlZ0Ou6ZqyseOWg0Qet/l2sGRATMZE0LEmFuQ=,tag:ubFmef/XawLTbJHQy1kndA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -22,8 +23,8 @@ sops:
R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/ R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg== sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T01:58:21Z" lastmodified: "2024-12-14T20:13:40Z"
mac: ENC[AES256_GCM,data:AdpE5LsndQPbOpAHmUnmyyP8bpYtu4AC7OqH6s2ejwwVIqm134CSJ1e8IQj86nH+Qanex3yMEWoy+bb9kzi3WPbEZ9E0ez7iBJaRlZN7Qn6ZlIKVZJ3yJQm7TmaY0xxIM+hShGtRNFHbAKXlg0yiDvxNwPFvAxbkOI9tVyqLbHQ=,iv:3/RpDCfx3R+5orU2uDvN/21wJJUgWu2YJ1VVbyAkfqc=,tag:7hVkGdX0oP3YnQz91Iea3Q==,type:str] mac: ENC[AES256_GCM,data:+o2SLvsCXP8pwQV3Aw0Xpc5qthzZGfp1/mQZFN5iSDInc990InyaBE+bcL7hEdhiN5IQOt+V+bqmqkFzoAK0oNolqyAJQ3NYg2WOOst1mwjKgqY+SFJG03waRSqAFG2mFE7k4KS0t703cEivZkKdvqFoKvO/d+iRcA3Jp6GKh7c=,iv:h1NbvgJBqCDc8OHTXr4uL6aPMD8cV7ayParQDA6LL4w=,tag:3F7P1iaOv77/CYHB+y1Mtg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.2