squibid/flake-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wireguard

Browse source
This commit is contained in:
Squibid 2025-11-26 13:40:14 -05:00
parent 8e5d215275
commit c753407691
Signed by: squibid
GPG key ID: BECE5684D3C4005D
5 changed files with 74 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -31,6 +31,7 @@
./modules/unstable.nix ./modules/unstable.nix
./modules/zmotd.nix ./modules/zmotd.nix
./modules/sops.nix ./modules/sops.nix
./modules/wireguard.nix
./modules/users/admin.nix ./modules/users/admin.nix
./overlays ./overlays

9
hosts/crayon/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: { config, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix # Include the results of the hardware scan. ./hardware-configuration.nix # Include the results of the hardware scan.
@ -9,4 +9,11 @@
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
wireguard = {
enable = true;
# pub: gq0/fX4EF/3jUNJSW5C3ythZjMVAWYqQdAVRw1eUC1Y=
privateKeyFile = config.sops.secrets."wireguard/crayon".path;
externalInterface = "enp1s0";
};
} }

1
modules/sops.nix
View file

@ -16,6 +16,7 @@
secrets = { secrets = {
"mail/me" = {}; "mail/me" = {};
"jellyfin/zachary" = {}; "jellyfin/zachary" = {};
"wireguard/crayon" = {};
}; };
}; };
} }

60
modules/wireguard.nix Normal file
View file

@ -0,0 +1,60 @@
{ pkgs, lib, config, ... }:
{
options.wireguard = {
enable = lib.mkEnableOption "wireguard";
port = lib.mkOption {
default = 51820;
description = "The port for wireguard to use.";
type = lib.types.int;
};
externalInterface = lib.mkOption {
description = "The external networking interface for wireguard to use.";
type = lib.types.str;
};
internalInterface = lib.mkOption {
default = "wg0";
description = "The networking interface for wireguard to use.";
type = lib.types.str;
};
privateKeyFile = lib.mkOption {
description = "The path to the private key of the wireguard server.";
type = lib.types.path;
};
};
config = lib.mkIf config.wireguard.enable {
networking.nat.enable = true;
networking.nat.externalInterface = config.wireguard.externalInterface;
networking.nat.internalInterfaces = [ config.wireguard.internalInterface ];
networking.firewall.allowedUDPPorts = [ config.wireguard.port ];
networking.wireguard.interfaces = {
${config.wireguard.internalInterface} = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
listenPort = config.wireguard.port;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# Path to the servers private key file.
privateKeyFile = config.wireguard.privateKeyFile;
# TODO: add config option?
peers = [
{
publicKey = "L+NlTn0E9pgCoEoTYs4aDewZSMmyeyC1Os9DCdwYTjY=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
};
}

6
secrets.yaml
View file

@ -4,6 +4,8 @@ jellyfin:
zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str] zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str]
users: users:
crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str] crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str]
wireguard:
crayon: ENC[AES256_GCM,data:pQ4nOzcON+yCqgisBQO8LIdfi9GmXE9YcPzBRgu9Fdzx0R6p4dEK+DVBuDg=,iv:vq0uDgZlLwXVZMwE3xTWZDP20uaAcT4I0D7qLS61ApI=,tag:btVyZREPAgfcC694/Wusmg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -37,8 +39,8 @@ sops:
MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN
R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA== R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-09T02:00:10Z" lastmodified: "2025-11-26T18:38:21Z"
mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str] mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1