From 646c3c0efb91d698adc07fc2b502527c2e42b937 Mon Sep 17 00:00:00 2001 From: sajenim Date: Sun, 19 Nov 2023 22:38:12 +0000 Subject: [PATCH] setup wireguard --- nixos/viridian/configuration.nix | 44 ++++++++++++++++++++++++++++++++ secrets/secrets.nix | 1 + secrets/wireguard.age | 11 ++++++++ 3 files changed, 56 insertions(+) create mode 100644 secrets/wireguard.age diff --git a/nixos/viridian/configuration.nix b/nixos/viridian/configuration.nix index 6b62053..7265bd9 100644 --- a/nixos/viridian/configuration.nix +++ b/nixos/viridian/configuration.nix @@ -35,6 +35,13 @@ ./hardware-configuration.nix ]; + age.secrets.wireguard = { + # Private key for wireguard + file = inputs.self + /secrets/wireguard.age; + owner = "root"; + group = "root"; + }; + nixpkgs = { # You can add overlays here overlays = [ @@ -117,6 +124,13 @@ hostName = "viridian"; domain = "kanto.dev"; networkmanager.enable = true; + # Required for wireguard + nat = { + enable = true; + externalInterface = "wlp2s0"; + internalInterfaces = [ "wg0" ]; + }; + # Setup our firewall firewall = { enable = true; allowedTCPPorts = [ @@ -130,8 +144,38 @@ 80 # traefik (HTTP) 443 # traefik (HTTPS) 32372 # qbittorrent + 51820 # Wireguard ]; }; + wireguard.interfaces = { + wg0 = { + # IP address and subnet of the server's end of the tunnel interface + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE + ''; + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE + ''; + # Path to the private key file. + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { # Pixel 6 Pro + publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E="; + # List of IPs assigned to this peer within the tunnel subnet. + allowedIPs = [ "10.100.0.2/32" ]; + } + { # Samsung S23 Ultra + publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ="; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; }; # Setup environment diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4c8f13a..60403e0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,5 +14,6 @@ in { "traefik.age".publicKeys = users ++ hosts; "microbin.age".publicKeys = users ++ hosts; + "wireguard.age".publicKeys = users ++ hosts; } diff --git a/secrets/wireguard.age b/secrets/wireguard.age new file mode 100644 index 0000000..4835d8e --- /dev/null +++ b/secrets/wireguard.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 MipaNQ NdT4DUu7wAWLNp2A8+x4CW+c5V88gyUaMdm7EMxMtSc +qiGBk33SBN6QvhRBcn6r+H40O8ekF+Zollw+xkbco4U +-> ssh-ed25519 F8C9vw bWNQOkSxlJ9OvND+dmyGQIrF0BRxceR6Xi1zBdukLEI +N0rYabPL8L3WJ1ioN9A9PrN56GgNbgFMoDeZRvFWQlI +-> ssh-ed25519 dG7JAQ RqX9t1h5IWCCXTzyiRZqbYnZxcZkwT5sajWmOA3BM2o +h6QUNLN0QUgLBTbYZAD+q0zGvWYBazHR6iHCkkqf7P8 +-> /^}HV)0Q-grease q6#cJ p 0T