wireguard

2025-11-26 13:40:14 -05:00 · 2025-11-26 13:40:14 -05:00 · c753407691
commit c753407691
parent 8e5d215275
5 changed files with 74 additions and 3 deletions
--- a/flake.nix
+++ b/flake.nix
@ -31,6 +31,7 @@
      ./modules/unstable.nix
      ./modules/zmotd.nix
      ./modules/sops.nix
+      ./modules/wireguard.nix
      ./modules/users/admin.nix
      ./overlays

--- a/hosts/crayon/default.nix
+++ b/hosts/crayon/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  imports = [
    ./hardware-configuration.nix # Include the results of the hardware scan.
@ -9,4 +9,11 @@

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
+
+  wireguard = {
+    enable = true;
+    # pub: gq0/fX4EF/3jUNJSW5C3ythZjMVAWYqQdAVRw1eUC1Y=
+    privateKeyFile = config.sops.secrets."wireguard/crayon".path;
+    externalInterface = "enp1s0";
+  };
 }
--- a/modules/sops.nix
+++ b/modules/sops.nix
@ -16,6 +16,7 @@
    secrets = {
      "mail/me" = {};
      "jellyfin/zachary" = {};
+      "wireguard/crayon" = {};
    };
  };
 }
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+{
+  options.wireguard = {
+    enable = lib.mkEnableOption "wireguard";
+    port = lib.mkOption {
+      default = 51820;
+      description = "The port for wireguard to use.";
+      type = lib.types.int;
+    };
+    externalInterface = lib.mkOption {
+      description = "The external networking interface for wireguard to use.";
+      type = lib.types.str;
+    };
+    internalInterface = lib.mkOption {
+      default = "wg0";
+      description = "The networking interface for wireguard to use.";
+      type = lib.types.str;
+    };
+    privateKeyFile = lib.mkOption {
+      description = "The path to the private key of the wireguard server.";
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf config.wireguard.enable {
+    networking.nat.enable = true;
+    networking.nat.externalInterface = config.wireguard.externalInterface;
+    networking.nat.internalInterfaces = [ config.wireguard.internalInterface ];
+    networking.firewall.allowedUDPPorts = [ config.wireguard.port ];
+    networking.wireguard.interfaces = {
+      ${config.wireguard.internalInterface} = {
+        # Determines the IP address and subnet of the server's end of the tunnel interface.
+        ips = [ "10.100.0.1/24" ];
+        listenPort = config.wireguard.port;
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+        # This undoes the above command
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          '';
+
+        # Path to the servers private key file.
+        privateKeyFile = config.wireguard.privateKeyFile;
+
+        # TODO: add config option?
+        peers = [
+          {
+            publicKey = "L+NlTn0E9pgCoEoTYs4aDewZSMmyeyC1Os9DCdwYTjY=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}
--- a/secrets.yaml
+++ b/secrets.yaml
@ -4,6 +4,8 @@ jellyfin:
    zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str]
 users:
    crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str]
+wireguard:
+    crayon: ENC[AES256_GCM,data:pQ4nOzcON+yCqgisBQO8LIdfi9GmXE9YcPzBRgu9Fdzx0R6p4dEK+DVBuDg=,iv:vq0uDgZlLwXVZMwE3xTWZDP20uaAcT4I0D7qLS61ApI=,tag:btVyZREPAgfcC694/Wusmg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -37,8 +39,8 @@ sops:
            MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN
            R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-09T02:00:10Z"
-    mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str]
+    lastmodified: "2025-11-26T18:38:21Z"
+    mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1