forked from kalipso/infrastructure
[lucia] rm wireguard cfg
This commit is contained in:
@@ -7,7 +7,6 @@ in
|
|||||||
imports =
|
imports =
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
../modules/malobeo_user.nix
|
../modules/malobeo_user.nix
|
||||||
./wireguard.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.defaultSopsFile = ./secrets.yaml;
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
|
|||||||
@@ -1,55 +0,0 @@
|
|||||||
{config, pkgs, ...}:
|
|
||||||
{
|
|
||||||
sops.secrets.wireguard_private = {};
|
|
||||||
|
|
||||||
# enable NAT
|
|
||||||
networking.nat.enable = true;
|
|
||||||
networking.nat.externalInterface = "eth0";
|
|
||||||
networking.nat.internalInterfaces = [ "wg0" ];
|
|
||||||
networking.firewall = {
|
|
||||||
allowedUDPPorts = [ 51820 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
networking.wireguard.enable = true;
|
|
||||||
networking.wireguard.interfaces = {
|
|
||||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
|
||||||
wg0 = {
|
|
||||||
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
|
||||||
ips = [ "10.100.0.1/24" ];
|
|
||||||
|
|
||||||
# The port that WireGuard listens to. Must be accessible by the client.
|
|
||||||
listenPort = 51820;
|
|
||||||
|
|
||||||
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
|
||||||
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
|
||||||
postSetup = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
# This undoes the above command
|
|
||||||
postShutdown = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Path to the private key file.
|
|
||||||
#
|
|
||||||
# Note: The private key can also be included inline via the privateKey option,
|
|
||||||
# but this makes the private key world-readable; thus, using privateKeyFile is
|
|
||||||
# recommended.
|
|
||||||
privateKey = config.sops.secrets.wireguard_private.path;
|
|
||||||
|
|
||||||
peers = [
|
|
||||||
# List of allowed peers.
|
|
||||||
{ # Feel free to give a meaningfull name
|
|
||||||
# Public key of the peer (not a file path).
|
|
||||||
publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
|
|
||||||
|
|
||||||
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
|
||||||
allowedIPs = [ "10.100.0.2/32" ];
|
|
||||||
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user