diff --git a/machines/configuration.nix b/machines/configuration.nix index 5b69f0a1..bb5f4c74 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -123,7 +123,6 @@ in ]; }; - durruti = nixosSystem { system = "x86_64-linux"; specialArgs.inputs = inputs; @@ -133,6 +132,16 @@ in ]; }; + vpn = nixosSystem { + system = "x86_64-linux"; + specialArgs.inputs = inputs; + specialArgs.self = self; + modules = makeMicroVM "vpn" "10.0.0.10" [ + self.nixosModules.malobeo + ./vpn/configuration.nix + ]; + }; + lucia = nixosSystem { system = "aarch64-linux"; specialArgs.inputs = inputs; diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix new file mode 100644 index 00000000..f6ff2c5d --- /dev/null +++ b/machines/vpn/configuration.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, inputs, ... }: + +with lib; + +{ + #sops.defaultSopsFile = ./secrets.yaml; + + networking = { + hostName = mkDefault "vpn"; + useDHCP = false; + nameservers = [ "1.1.1.1" ]; + }; + + imports = [ + ../modules/malobeo_user.nix + ../modules/sshd.nix + ../modules/minimal_tools.nix + ]; + + services.malobeo.vpn = { + enable = true; + name = "vpn"; + privateKey = "somepath"; + }; + + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/machines/vpn/wireguard.nix b/machines/vpn/wireguard.nix new file mode 100644 index 00000000..087ac797 --- /dev/null +++ b/machines/vpn/wireguard.nix @@ -0,0 +1,73 @@ +{config, pkgs, ...}: +{ + sops.secrets.wireguard_private = {}; + + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKey = config.sops.secrets.wireguard_private.path; + + peers = [ + # List of allowed peers. + { # Feel free to give a meaningfull name + # Public key of the peer (not a file path). + publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4="; + + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + + } + ]; + }; + }; + + #sops.secrets.wireguard_host = {}; + #sops.secrets.mullvad_secret = {}; + + #networking.wg-quick.interfaces = { + # wg0 = { + # address = [ "50.100.0.2/24" ]; + # privateKeyFile = "/home/kalipso/.config/wireguard-keys/private"; + + # peers = [ + # { + # publicKey = "Anme1N482rGSZ14wqtZQbzUHvX4oFhoVct0d187H0iM="; + # allowedIPs = [ "50.100.0.0/24" ]; + # endpoint = "5.9.153.217:51820"; + # } + # ]; + # }; + +}