configure wireguard

2024-12-14 16:19:04 -05:00 · 2024-12-14 16:19:04 -05:00 · fcc68eaf88
commit fcc68eaf88
parent 8def136b65
4 changed files with 34 additions and 11 deletions
--- a/nix/hosts/chunk/.sops.yaml
+++ b/nix/hosts/chunk/.sops.yaml
@ -1,7 +1,7 @@
 keys:
  - &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
 creation_rules:
-  - path_regex: secrets/secrets.yaml$
+  - path_regex: secrets.yaml$
    key_groups:
    - age:
      - *primary
--- a/nix/hosts/chunk/Caddyfile
+++ b/nix/hosts/chunk/Caddyfile
@ -30,7 +30,7 @@ pass.cy7.sh {
  reverse_proxy localhost:8081
 }

-dns.cy7.sh {
+dns.cything.io {
  reverse_proxy localhost:8082
 }

--- a/nix/hosts/chunk/default.nix
+++ b/nix/hosts/chunk/default.nix
@ -23,6 +23,7 @@ in {
    "vaultwarden" = { };
    "caddy" = { };
    "hedgedoc" = { };
+    "wireguard" = { };
  };

  boot.loader.grub.enable = true;
@ -32,14 +33,10 @@ in {

  networking.hostName = "chunk";
  networking.networkmanager.enable = true;
-  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
-    allowedUDPPorts = [ 443 ];
-    extraInputRules = ''
-      ip saddr 172.18.0.0/16 tcp dport 5432 accept
-    '';
+    allowedTCPPorts = [ 22 80 443 53 853 ];
+    allowedUDPPorts = [ 443 51820 53 853 ]; # 51820 is wireguard
  };
  networking.interfaces.ens18 = {
    ipv6.addresses = [{
@ -263,5 +260,30 @@ in {
      REDLIB_ROBOTS_DISABLE_INDEXING = "on";
    };
  };
+
+  # wireguard stuff
+  networking.nat = {
+    enable = true;
+    externalInterface = "ens18";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.100.0.1/24" ];
+    listenPort = 51820;
+    privateKeyFile = "/run/secrets/wireguard";
+    postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
+    '';
+    postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
+    '';
+    peers = [
+      {
+        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+    ];
+  };
 }

--- a/nix/hosts/chunk/secrets.yaml
+++ b/nix/hosts/chunk/secrets.yaml
@ -7,6 +7,7 @@ rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShY
 vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
 caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
 hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
+wireguard: ENC[AES256_GCM,data:LHwiCi8pv4hLIJm0cumsZizcNeVkEFgQd0wRfUXcfA12C6rwuM8Uin0fPz4=,iv:aM1XvmWlZ0Ou6ZqyseOWg0Qet/l2sGRATMZE0LEmFuQ=,tag:ubFmef/XawLTbJHQy1kndA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -22,8 +23,8 @@ sops:
            R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
            sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T01:58:21Z"
-    mac: ENC[AES256_GCM,data:AdpE5LsndQPbOpAHmUnmyyP8bpYtu4AC7OqH6s2ejwwVIqm134CSJ1e8IQj86nH+Qanex3yMEWoy+bb9kzi3WPbEZ9E0ez7iBJaRlZN7Qn6ZlIKVZJ3yJQm7TmaY0xxIM+hShGtRNFHbAKXlg0yiDvxNwPFvAxbkOI9tVyqLbHQ=,iv:3/RpDCfx3R+5orU2uDvN/21wJJUgWu2YJ1VVbyAkfqc=,tag:7hVkGdX0oP3YnQz91Iea3Q==,type:str]
+    lastmodified: "2024-12-14T20:13:40Z"
+    mac: ENC[AES256_GCM,data:+o2SLvsCXP8pwQV3Aw0Xpc5qthzZGfp1/mQZFN5iSDInc990InyaBE+bcL7hEdhiN5IQOt+V+bqmqkFzoAK0oNolqyAJQ3NYg2WOOst1mwjKgqY+SFJG03waRSqAFG2mFE7k4KS0t703cEivZkKdvqFoKvO/d+iRcA3Jp6GKh7c=,iv:h1NbvgJBqCDc8OHTXr4uL6aPMD8cV7ayParQDA6LL4w=,tag:3F7P1iaOv77/CYHB+y1Mtg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2