Toast/nix-stuff
1
0
Fork 0
Code Issues Pull requests Projects 1 Wiki Activity

Server: add wireguard

Browse source
This commit is contained in:
Toast 2023-07-14 15:24:33 +02:00
parent 23c444cdd0
commit 6a83942761
9 changed files with 121 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
roles/server/default.nix
View file

@ -12,5 +12,6 @@
./transmission.nix ./transmission.nix
./ddclient.nix ./ddclient.nix
./beep.nix ./beep.nix
./wireguard.nix
]; ];
} }

73
roles/server/wireguard.nix Normal file
View file

@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
# Set up secrets
age.secrets = {
silverPrivate.file = ../../secrets/wg/silver/serverPriv;
silverPhonePsk.file = ../../secrets/wg/silver/phonePsk;
toastPrivate.file = ../../secrets/wg/toast/serverPriv;
toastPhonePsk.file = ../../secrets/wg/toast/phonePsk;
};
networking = {
# You need NAT if you want to use wireguard as a VPN
nat = {
enable = true;
externalInterface = "eno1";
internalInterfaces = [ "wg-*" ];
};
# Allow the wireguard port though the firewall
firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort];
wireguard = {
enable = true;
interfaces = {
vpn-silver = {
/*
I see people normally use 10.0.X.X, but I already have the muscle memory of
typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3
peers connected at once, so a type C IP is more than enough
*/
ips = [ "192.168.10.1/24" ];
listenPort = 51820;
privateKeyFile = config.age.secrets.silverPrivate.path;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
'';
peers = [
{
# Silver's phone
allowedIPs = [ "192.168.10.2" ];
publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic=";
presharedKeyFile = config.age.secrets.silverPhonePsk.path;
}
];
};
vpn-toast = {
ips = [ "192.168.11.1/24" ];
listenPort = 51821;
privateKeyFile = config.age.secrets.toastPrivate.path;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
'';
peers = [
{
# My phone
allowedIPs = [ "192.168.11.2" ];
publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA=";
presharedKeyFile = config.age.secrets.toastPhonePsk.path;
}
];
};
};
};
};
}

7
secrets/secrets.nix
View file

@ -4,6 +4,13 @@ let
in in
{ {
"ddclient-passwd".publicKeys = [ everest ]; "ddclient-passwd".publicKeys = [ everest ];
"cock".publicKeys = [ everest ];
"syncthing/key".publicKeys = [ everest ]; "syncthing/key".publicKeys = [ everest ];
"syncthing/cert".publicKeys = [ everest ]; "syncthing/cert".publicKeys = [ everest ];
"wg/silver/serverPriv".publicKeys = [ everest ];
"wg/silver/phonePriv".publicKeys = [ everest ];
"wg/silver/phonePsk".publicKeys = [ everest ];
"wg/toast/serverPriv".publicKeys = [ everest ];
"wg/toast/phonePriv".publicKeys = [ everest ];
"wg/toast/phonePsk".publicKeys = [ everest ];
} }

8
secrets/wg/silver/phonePriv Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VoNo4A vExPc7M17NblMkOjJCxVm6I4v6/6yYBzE6nfc9saOEc
muXFANq6dGV+ToPwlUTkZ84wVsGqnTcCLvncmOgcbrk
-> VN-grease (ijvp 99` (qc
f+ZaYegYdxUu4uj7uGtIl1Pm1ipMe4gQxs57vQxYCHOYO6tejSbwI8Y8sOAzkNV0
pv0EFylBo9Y
--- SrPUCAPc2SmcpvPoPEK/gYJ9hn+vdplxJRMBfRSamAo
èbºŒÆϾÒróÌá ¹ÞÞ¹?/Ýî¶â»<C3A2>ðæQ¬2D© Š½rŒr4;®º‡ÿÌâÀÀ’^º­º|æÂTã¿ {!]ƒˆ‡ÁÛü

8
secrets/wg/silver/phonePsk Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VoNo4A 8YvcfWII3BKsM+V+ceoFC3XXldC0qvwnL/6ggK+Il0s
irwDqE2NcFHU/mVlhvIt787a4EW3kmEd11d0P393zXA
-> Wu;RC:#-grease EIrU+ a1!S.4 t Uq#Qab6^
mpekj8nSA5jpzDm1l5VrrYxMxmcuG5Yh+ABWkv2Dn9dKuJG6E1CIcAnU+9rpP6n4
waoAYhTnVZpcHd1qVVm1Mwlz1REymNYxYw7MVplfM3lm1jSU
--- Q+IuFa2gerHpADs2TR/ZkULZV0rIaUvqFpoiovmbcQs
ŽA3ý¹z·¸X"I¥jlkx— uÝ7<C39D>Ï éUhG¡J Ö<C2A0>°{+éÄî^žq«»bL?RImS܈=PÔ½¸gq¿ÚFtJx

8
secrets/wg/silver/serverPriv Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VoNo4A xu8kFORPIO3cpRKruN2H3Ab8kGHKooWF+a51uvo6AnQ
2LyysvbhXMTJ+CXZtqYksxNAH5E+fgpmtCkX0TVp1SI
-> T$7CzH-grease ZJA,Gm
fyYJztvSX5VrUustF3Y3XpgdmAhpMR/4
--- S/lJcXIuerNOPN687eO9CgsLZE8/yTEGfs2GUD4H/+Y
ÖÒµªI
Šï ¸›¿}v'Ô'9¤FÖn•é×Ø<E28099><W]t`kï+°<>Ìl7p9/5zïÃê…CxFð¥•õFHr

BIN
secrets/wg/toast/phonePriv Normal file
View file

Binary file not shown.

8
secrets/wg/toast/phonePsk Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VoNo4A LJQA1BbMRZCiasZkqUIYdEF4U8AFfHv+tiDkIfp5xV0
YVKxaYXmLMimAjQ5N0ALSkptDcSmUafX1JPaA+lXLiU
-> {m4@-grease o=oC?P u1g sMgp\s"
GwnTCGHOjeG1XzcjSD/nqqY5eJRAkCIikGEIhLCLfuKqryn69mRz0mxoy7949j4j
oSG2
--- z6TjnxxvqB7M7IXuIEJIpQrSvtW6yUC+FJDC9e9o2rg
Çf½Y¤RÎ"ggÇÁ¼Ù`AO;&è¹; ÿÜÒh;'©ü(Š‡¹»ô¸‹ûuûõÁ©³<C2A9>Ÿ¡jâÿöN£êwå£å<C2A3>¨FDgÜ

8
secrets/wg/toast/serverPriv Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VoNo4A Y2wquDHovRlD2P7tv+6Z+DV3uoOeqs219woSenjJGBg
ZvHSzvAxlK2hZt41I1q4lAV3g9dg+8onphpG8V3gPM8
-> /-grease leqR
wT1Jyk7ceGKQlsQrNuTigKJbRLbk32r1ic/kHZnFikn1/Jx8W5t7VEVxV/qbbjM7
2eV73hu3QR8uz/1/wwMuX9yyPX79o/BbmThqAwXR
--- v2H9k4DcOqjtAuw7fgX2AEOnJLC8BMH5l8KPvoLxxKc
·»’ª'Ô.òÒ|ð§_|s<>ÅvÏO¶'3@ál6eQB.3/û+žI0Ä-?ñ<>Ih¯Žà™Öîú†Ãdm{žøíðhÄ