Rework some wireguard stuff
This commit is contained in:
parent
57fcd83770
commit
97e837ac5f
|
@ -10,7 +10,7 @@
|
||||||
../../../modules/system/devices/boot/systemd
|
../../../modules/system/devices/boot/systemd
|
||||||
../../../modules/system/devices/networking
|
../../../modules/system/devices/networking
|
||||||
../../../modules/system/devices/networking/firewall/pc
|
../../../modules/system/devices/networking/firewall/pc
|
||||||
#../../../modules/system/devices/networking/wireguard/pc
|
../../../modules/system/devices/networking/wireguard/pc
|
||||||
../../../modules/system/programs/git
|
../../../modules/system/programs/git
|
||||||
../../../modules/system/programs/security
|
../../../modules/system/programs/security
|
||||||
../../../modules/system/services/common
|
../../../modules/system/services/common
|
||||||
|
@ -21,4 +21,5 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "bomberman";
|
networking.hostName = "bomberman";
|
||||||
|
systemd.network.networks.wg0.address = [ "10.100.0.19/24" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,22 +1,32 @@
|
||||||
{ config, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
{
|
||||||
networking.firewall = {
|
systemd.network = {
|
||||||
allowedUDPPorts = [ 51820 ];
|
enable = true;
|
||||||
|
netdevs = {
|
||||||
|
"10-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "wireguard";
|
||||||
|
Name = "wg0";
|
||||||
|
MTUBytes = 1300;
|
||||||
};
|
};
|
||||||
|
wireguardConfig = {
|
||||||
networking.wireguard.interfaces = {
|
PrivateKeyFile = pkgs.writeText "privkey" config.secrets.wgClientPriv;
|
||||||
"${config.ips.wgInt}" = {
|
ListenPort = 9918;
|
||||||
# Define IP of client in per device config
|
};
|
||||||
listenPort = 51820;
|
wireguardPeers = [
|
||||||
privateKey = config.secrets.wgClientPriv;
|
{
|
||||||
peers = [
|
PublicKey = config.secrets.wgServerPub;
|
||||||
{ # 0.0.0.0 makes wg act like a traditional VPN
|
AllowedIPs = [ "0.0.0.0/0" ];
|
||||||
publicKey = config.secrets.wgServerPub;
|
Endpoint = "sv.${config.secrets.jimDomain}:51820";
|
||||||
allowedIPs = [ "0.0.0.0/0" ];
|
|
||||||
endpoint = "sv.${config.secrets.jimDomain}:51820";
|
|
||||||
persistentKeepalive = 25;
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
networks.wg0 = {
|
||||||
|
matchConfig.Name = "wg0";
|
||||||
|
address = [ "10.100.0.19/24" ];
|
||||||
|
dns = [ "1.1.1.1" ];
|
||||||
|
gateway = [ "${config.ips.wgSpan}.1" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,10 +21,6 @@
|
||||||
publicKey = config.secrets.wgPixel9Pub;
|
publicKey = config.secrets.wgPixel9Pub;
|
||||||
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
|
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
|
||||||
}
|
}
|
||||||
{ # Oracle VM
|
|
||||||
publicKey = config.secrets.wgOraclePub;
|
|
||||||
allowedIPs = [ "${config.ips.wgSpan}.3/32" ];
|
|
||||||
}
|
|
||||||
{ # General Nix
|
{ # General Nix
|
||||||
publicKey = config.secrets.wgClientPub;
|
publicKey = config.secrets.wgClientPub;
|
||||||
allowedIPs = [ "${config.ips.wgSpan}.16/28" ];
|
allowedIPs = [ "${config.ips.wgSpan}.16/28" ];
|
||||||
|
|
Loading…
Reference in a new issue