diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index be109b7..840080b 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -2,7 +2,7 @@ "vpn" = { role = "server"; publicIp = "5.9.153.217"; - ips = [ "10.100.0.1/24" ]; + address = [ "10.100.0.1/24" ]; allowedIPs = [ "10.100.0.0/24" ]; listenPort = 51821; publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4="; @@ -10,15 +10,15 @@ "fanny" = { role = "client"; - ips = [ "10.100.0.2/24" ]; + address = [ "10.100.0.2/24" ]; allowedIPs = [ "10.100.0.0/24" ]; - publicKey = ""; + publicKey = "hF8H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4="; }; "test" = { role = "client"; - ips = [ "10.100.0.3/24" ]; + address = [ "10.100.0.3/24" ]; allowedIPs = [ "10.100.0.0/24" ]; - publicKey = ""; + publicKey = "hF7H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4="; }; } diff --git a/machines/modules/malobeo/wireguard.nix b/machines/modules/malobeo/wireguard.nix index cbb7c54..36fde4f 100644 --- a/machines/modules/malobeo/wireguard.nix +++ b/machines/modules/malobeo/wireguard.nix @@ -16,7 +16,7 @@ let ) peerList; filteredPeerlist = map (host: builtins.removeAttrs host [ "role" - "ips" + "address" "listenPort" "publicIp" ] ) peerListWithEndpoint; @@ -38,7 +38,7 @@ in ''; }; - privateKey = mkOption { + privateKeyFile = mkOption { default = ""; type = types.str; description = '' @@ -48,43 +48,44 @@ in }; }; - imports = [ - inputs.microvm.nixosModules.host - ]; - config = mkIf cfg.enable { assertions = [ - #{ - # assertion = !(myPeer != "client" && cfg.role != "server"); - # message = '' - # VPN Role must be either client or server, nothing else! - # ''; - #} + { + assertion = !(myPeer.role != "client" && myPeer.role != "server"); + message = '' + VPN Role must be either client or server, nothing else! + ''; + } ]; - networking.wireguard = { - enable = true; + networking.wg-quick = { interfaces = { malovpn = { - ips = myPeer.ips; + address = myPeer.address; listenPort = mkIf (myPeer.role == "server") myPeer.listenPort; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - postSetup = mkIf (myPeer.role == "server") '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + postUp = mkIf (myPeer.role == "server") '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE ''; # This undoes the above command - postShutdown = mkIf (myPeer.role == "server") '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + postDown = mkIf (myPeer.role == "server") '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE ''; - privateKey = cfg.privateKey; + privateKeyFile = cfg.privateKeyFile; peers = filteredPeerlist; }; }; }; + + #networking.nat = mkIf (myPeer.role == "server"){ + # enable = true; + # internalInterfaces = [ "microvm" ]; + # externalInterface = "eth0"; #change to your interface name + #}; }; } diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index bae5e22..f47d31a 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -21,7 +21,7 @@ with lib; services.malobeo.vpn = { enable = true; name = "vpn"; - privateKey = config.sops.secrets.wg_private.path; + privateKeyFile = config.sops.secrets.wg_private.path; }; system.stateVersion = "22.11"; # Did you read the comment?