kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

[lucia] rm wireguard cfg

Browse Source
This commit is contained in:
kalipso
2024-12-16 22:01:04 +01:00
parent fea16d6f4b
commit 7d73807f80
2 changed files with 0 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
machines/lucia/configuration.nix
View File

@@ -7,7 +7,6 @@ in
imports =
[ # Include the results of the hardware scan.
../modules/malobeo_user.nix
./wireguard.nix
];
sops.defaultSopsFile = ./secrets.yaml;

55
machines/lucia/wireguard.nix
View File

@@ -1,55 +0,0 @@
{config, pkgs, ...}:
{
sops.secrets.wireguard_private = {};
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKey = config.sops.secrets.wireguard_private.path;
peers = [
# List of allowed peers.
{ # Feel free to give a meaningfull name
# Public key of the peer (not a file path).
publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
}