jasmine/dotfiles.nix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

setup wireguard

Browse source
This commit is contained in:
♥ Minnie ♥ 2023-11-19 22:38:12 +00:00
parent d98b8499eb
commit 646c3c0efb
3 changed files with 56 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
nixos/viridian/configuration.nix
View file

@ -35,6 +35,13 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
age.secrets.wireguard = {
# Private key for wireguard
file = inputs.self + /secrets/wireguard.age;
owner = "root";
group = "root";
};
nixpkgs = { nixpkgs = {
# You can add overlays here # You can add overlays here
overlays = [ overlays = [
@ -117,6 +124,13 @@
hostName = "viridian"; hostName = "viridian";
domain = "kanto.dev"; domain = "kanto.dev";
networkmanager.enable = true; networkmanager.enable = true;
# Required for wireguard
nat = {
enable = true;
externalInterface = "wlp2s0";
internalInterfaces = [ "wg0" ];
};
# Setup our firewall
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -130,8 +144,38 @@
80 # traefik (HTTP) 80 # traefik (HTTP)
443 # traefik (HTTPS) 443 # traefik (HTTPS)
32372 # qbittorrent 32372 # qbittorrent
51820 # Wireguard
]; ];
}; };
wireguard.interfaces = {
wg0 = {
# IP address and subnet of the server's end of the tunnel interface
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE
'';
# Path to the private key file.
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
{ # Pixel 6 Pro
publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E=";
# List of IPs assigned to this peer within the tunnel subnet.
allowedIPs = [ "10.100.0.2/32" ];
}
{ # Samsung S23 Ultra
publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ=";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
};
}; };
# Setup environment # Setup environment

1
secrets/secrets.nix
View file

@ -14,5 +14,6 @@ in
{ {
"traefik.age".publicKeys = users ++ hosts; "traefik.age".publicKeys = users ++ hosts;
"microbin.age".publicKeys = users ++ hosts; "microbin.age".publicKeys = users ++ hosts;
"wireguard.age".publicKeys = users ++ hosts;
} }

11
secrets/wireguard.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 MipaNQ NdT4DUu7wAWLNp2A8+x4CW+c5V88gyUaMdm7EMxMtSc
qiGBk33SBN6QvhRBcn6r+H40O8ekF+Zollw+xkbco4U
-> ssh-ed25519 F8C9vw bWNQOkSxlJ9OvND+dmyGQIrF0BRxceR6Xi1zBdukLEI
N0rYabPL8L3WJ1ioN9A9PrN56GgNbgFMoDeZRvFWQlI
-> ssh-ed25519 dG7JAQ RqX9t1h5IWCCXTzyiRZqbYnZxcZkwT5sajWmOA3BM2o
h6QUNLN0QUgLBTbYZAD+q0zGvWYBazHR6iHCkkqf7P8
-> /^}HV)0Q-grease q6#cJ p 0T<L.&R (/haG
c4EvSLupHcUubthSCw
--- leFHEqNRjnnBeM4YFYr3W30FtiHBeY7Y6ez0oi8k+oo
i£fB­Ð€7¬¼hÜû 8À Ühì•«vT¾èG:ÑN¼¦,]˜L…z/‡ãH°@¼JÏ@*AJÔ<  <09>Tå=@P]sIÀÓ”j*û<Ü