46 lines
1.7 KiB
Nix
46 lines
1.7 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: {
|
|
networking.nat = {
|
|
enable = true;
|
|
enableIPv6 = true;
|
|
externalInterface = "ens18";
|
|
internalInterfaces = ["wg0"];
|
|
};
|
|
|
|
networking.wg-quick.interfaces.wg0 = {
|
|
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
|
|
listenPort = 51820;
|
|
privateKeyFile = config.sops.secrets."wireguard/private".path;
|
|
postUp = ''
|
|
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
|
|
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
|
|
'';
|
|
preDown = ''
|
|
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
|
|
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
|
|
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
|
|
'';
|
|
peers = [
|
|
{
|
|
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
|
|
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
|
|
presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
|
|
}
|
|
{
|
|
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
|
|
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
|
|
presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
|
|
}
|
|
];
|
|
};
|
|
}
|