kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 3 Actions Projects 2 Releases Wiki Activity

add wireguard module from wiki and prepare sops

Browse Source
This commit is contained in:
ahtlon
2024-11-14 19:28:40 +01:00
committed by kalipso
parent a10fb33c29
commit ca1e9a3af6
3 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
machines/.sops.yaml
View File

@@ -34,3 +34,10 @@ creation_rules:
- *machine_durruti - *machine_durruti
age: age:
- *admin_atlan - *admin_atlan
- path_regex: secrets/keys/wireguard/.*
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

1
machines/lucia/configuration.nix
View File

@@ -7,6 +7,7 @@ in
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
../modules/malobeo_user.nix ../modules/malobeo_user.nix
./wireguard.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;

54
machines/lucia/wireguard.nix Normal file
View File

@@ -0,0 +1,54 @@
{config, pkgs, ...}:
{
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKey = config.sops.secrets.wireguard_private.path;
peers = [
# List of allowed peers.
{ # Feel free to give a meaningfull name
# Public key of the peer (not a file path).
publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
# To decrypt the private key to use
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
}