[malobeo/vpn] use wg-quick instead wireguard

this is compatible with systemd network (also in the future)
2024-12-19 15:23:46 +01:00
parent 6e4e35fcdf
commit 0d6df1d0ce
3 changed files with 27 additions and 26 deletions
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -2,7 +2,7 @@
  "vpn" = {
    role = "server";
    publicIp = "5.9.153.217";
-    ips = [ "10.100.0.1/24" ];
+    address = [ "10.100.0.1/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
    listenPort = 51821;
    publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
@@ -10,15 +10,15 @@

  "fanny" = {
    role = "client";
-    ips = [ "10.100.0.2/24" ];
+    address = [ "10.100.0.2/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF8H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };

  "test" = {
    role = "client";
-    ips = [ "10.100.0.3/24" ];
+    address = [ "10.100.0.3/24" ];
    allowedIPs = [ "10.100.0.0/24" ];
-    publicKey = "";
+    publicKey = "hF7H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
  };
 }
--- a/machines/modules/malobeo/wireguard.nix
+++ b/machines/modules/malobeo/wireguard.nix
@@ -16,7 +16,7 @@ let
  ) peerList;
  filteredPeerlist = map (host: builtins.removeAttrs host [ 
    "role" 
-    "ips" 
+    "address" 
    "listenPort" 
    "publicIp" 
  ] ) peerListWithEndpoint;
@@ -38,7 +38,7 @@ in
        '';
      };

-      privateKey = mkOption {
+      privateKeyFile = mkOption {
        default = "";
        type = types.str;
        description = ''
@@ -48,43 +48,44 @@ in
    };
  };

-  imports = [
-    inputs.microvm.nixosModules.host
-  ];
-
  config = mkIf cfg.enable { 
    assertions = [
-      #{
-      #  assertion = !(myPeer != "client" && cfg.role != "server");
-      #  message = ''
-      #    VPN Role must be either client or server, nothing else!
-      #  '';
-      #}
+      {
+        assertion = !(myPeer.role != "client" && myPeer.role != "server");
+        message = ''
+          VPN Role must be either client or server, nothing else!
+        '';
+      }
    ];

-    networking.wireguard = {
-      enable = true;
+    networking.wg-quick = {
      interfaces = {
        malovpn = {
-          ips = myPeer.ips;
+          address = myPeer.address;
          listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;

          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
-          postSetup = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          postUp = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';

          # This undoes the above command
-          postShutdown = mkIf (myPeer.role == "server") ''
-            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+          postDown = mkIf (myPeer.role == "server") ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
          '';

-          privateKey = cfg.privateKey;
+          privateKeyFile = cfg.privateKeyFile;

          peers = filteredPeerlist;
        };
      };
    };
+
+    #networking.nat = mkIf (myPeer.role == "server"){
+    #  enable = true;
+    #  internalInterfaces = [ "microvm" ];
+    #  externalInterface = "eth0"; #change to your interface name
+    #};
  };
 }
--- a/machines/vpn/configuration.nix
+++ b/machines/vpn/configuration.nix
@@ -21,7 +21,7 @@ with lib;
  services.malobeo.vpn = {
    enable = true;
    name = "vpn";
-    privateKey = config.sops.secrets.wg_private.path;
+    privateKeyFile = config.sops.secrets.wg_private.path;
  };

  system.stateVersion = "22.11"; # Did you read the comment?