diff --git a/roles/server/default.nix b/roles/server/default.nix index 515d4bf..9b262ae 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -12,5 +12,6 @@ ./transmission.nix ./ddclient.nix ./beep.nix + ./wireguard.nix ]; } diff --git a/roles/server/wireguard.nix b/roles/server/wireguard.nix new file mode 100644 index 0000000..6ad8b0d --- /dev/null +++ b/roles/server/wireguard.nix @@ -0,0 +1,73 @@ +{ config, pkgs, ... }: + +{ + # Set up secrets + age.secrets = { + silverPrivate.file = ../../secrets/wg/silver/serverPriv; + silverPhonePsk.file = ../../secrets/wg/silver/phonePsk; + toastPrivate.file = ../../secrets/wg/toast/serverPriv; + toastPhonePsk.file = ../../secrets/wg/toast/phonePsk; + }; + + networking = { + # You need NAT if you want to use wireguard as a VPN + nat = { + enable = true; + externalInterface = "eno1"; + internalInterfaces = [ "wg-*" ]; + }; + + # Allow the wireguard port though the firewall + firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort]; + + wireguard = { + enable = true; + interfaces = { + vpn-silver = { + /* + I see people normally use 10.0.X.X, but I already have the muscle memory of + typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3 + peers connected at once, so a type C IP is more than enough + */ + ips = [ "192.168.10.1/24" ]; + listenPort = 51820; + privateKeyFile = config.age.secrets.silverPrivate.path; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE + ''; + peers = [ + { + # Silver's phone + allowedIPs = [ "192.168.10.2" ]; + publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic="; + presharedKeyFile = config.age.secrets.silverPhonePsk.path; + } + ]; + }; + vpn-toast = { + ips = [ "192.168.11.1/24" ]; + listenPort = 51821; + privateKeyFile = config.age.secrets.toastPrivate.path; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE + ''; + peers = [ + { + # My phone + allowedIPs = [ "192.168.11.2" ]; + publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA="; + presharedKeyFile = config.age.secrets.toastPhonePsk.path; + } + ]; + }; + + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 169c588..f43b96a 100755 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,6 +4,13 @@ let in { "ddclient-passwd".publicKeys = [ everest ]; + "cock".publicKeys = [ everest ]; "syncthing/key".publicKeys = [ everest ]; "syncthing/cert".publicKeys = [ everest ]; + "wg/silver/serverPriv".publicKeys = [ everest ]; + "wg/silver/phonePriv".publicKeys = [ everest ]; + "wg/silver/phonePsk".publicKeys = [ everest ]; + "wg/toast/serverPriv".publicKeys = [ everest ]; + "wg/toast/phonePriv".publicKeys = [ everest ]; + "wg/toast/phonePsk".publicKeys = [ everest ]; } diff --git a/secrets/wg/silver/phonePriv b/secrets/wg/silver/phonePriv new file mode 100644 index 0000000..e6d0722 --- /dev/null +++ b/secrets/wg/silver/phonePriv @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VoNo4A vExPc7M17NblMkOjJCxVm6I4v6/6yYBzE6nfc9saOEc +muXFANq6dGV+ToPwlUTkZ84wVsGqnTcCLvncmOgcbrk +-> VN-grease (ijvp 99` (qc +f+ZaYegYdxUu4uj7uGtIl1Pm1ipMe4gQxs57vQxYCHOYO6tejSbwI8Y8sOAzkNV0 +pv0EFylBo9Y +--- SrPUCAPc2SmcpvPoPEK/gYJ9hn+vdplxJRMBfRSamAo +bϾr ?/⻏Q2Drr4;^|T {!] \ No newline at end of file diff --git a/secrets/wg/silver/phonePsk b/secrets/wg/silver/phonePsk new file mode 100644 index 0000000..796fddf --- /dev/null +++ b/secrets/wg/silver/phonePsk @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VoNo4A 8YvcfWII3BKsM+V+ceoFC3XXldC0qvwnL/6ggK+Il0s +irwDqE2NcFHU/mVlhvIt787a4EW3kmEd11d0P393zXA +-> Wu;RC:#-grease EIrU+ a1!S.4 t Uq#Qab6^ +mpekj8nSA5jpzDm1l5VrrYxMxmcuG5Yh+ABWkv2Dn9dKuJG6E1CIcAnU+9rpP6n4 +waoAYhTnVZpcHd1qVVm1Mwlz1REymNYxYw7MVplfM3lm1jSU +--- Q+IuFa2gerHpADs2TR/ZkULZV0rIaUvqFpoiovmbcQs +A3zX"Ijlkx u7 UhGJ֏{+^qbL?RImS܈=PԽgqFtJx \ No newline at end of file diff --git a/secrets/wg/silver/serverPriv b/secrets/wg/silver/serverPriv new file mode 100644 index 0000000..0c42bd4 --- /dev/null +++ b/secrets/wg/silver/serverPriv @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VoNo4A xu8kFORPIO3cpRKruN2H3Ab8kGHKooWF+a51uvo6AnQ +2LyysvbhXMTJ+CXZtqYksxNAH5E+fgpmtCkX0TVp1SI +-> T$7CzH-grease ZJA,Gm +fyYJztvSX5VrUustF3Y3XpgdmAhpMR/4 +--- S/lJcXIuerNOPN687eO9CgsLZE8/yTEGfs2GUD4H/+Y +ҵI + }v''9Fnג؏<W]t`k+xl7p9/5zCxFFHr \ No newline at end of file diff --git a/secrets/wg/toast/phonePriv b/secrets/wg/toast/phonePriv new file mode 100644 index 0000000..76cc573 Binary files /dev/null and b/secrets/wg/toast/phonePriv differ diff --git a/secrets/wg/toast/phonePsk b/secrets/wg/toast/phonePsk new file mode 100644 index 0000000..853edab --- /dev/null +++ b/secrets/wg/toast/phonePsk @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VoNo4A LJQA1BbMRZCiasZkqUIYdEF4U8AFfHv+tiDkIfp5xV0 +YVKxaYXmLMimAjQ5N0ALSkptDcSmUafX1JPaA+lXLiU +-> {m4@-grease o=oC?P u1g sMgp\s" +GwnTCGHOjeG1XzcjSD/nqqY5eJRAkCIikGEIhLCLfuKqryn69mRz0mxoy7949j4j +oSG2 +--- z6TjnxxvqB7M7IXuIEJIpQrSvtW6yUC+FJDC9e9o2rg +fYR"gg`AO;&; h;'(ujNw吨FDg \ No newline at end of file diff --git a/secrets/wg/toast/serverPriv b/secrets/wg/toast/serverPriv new file mode 100644 index 0000000..e7e3de5 --- /dev/null +++ b/secrets/wg/toast/serverPriv @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VoNo4A Y2wquDHovRlD2P7tv+6Z+DV3uoOeqs219woSenjJGBg +ZvHSzvAxlK2hZt41I1q4lAV3g9dg+8onphpG8V3gPM8 +-> /-grease leqR +wT1Jyk7ceGKQlsQrNuTigKJbRLbk32r1ic/kHZnFikn1/Jx8W5t7VEVxV/qbbjM7 +2eV73hu3QR8uz/1/wwMuX9yyPX79o/BbmThqAwXR +--- v2H9k4DcOqjtAuw7fgX2AEOnJLC8BMH5l8KPvoLxxKc +'.|^_|svO'3@l6eQB.3/+I0-?Ihdm{h \ No newline at end of file