Server: add wireguard

2023-07-14 15:24:33 +02:00 · 2023-07-14 15:24:33 +02:00 · 6a83942761
commit 6a83942761
parent 23c444cdd0
9 changed files with 121 additions and 0 deletions
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -12,5 +12,6 @@
 		./transmission.nix
 		./ddclient.nix
 		./beep.nix
+		./wireguard.nix
 	];
 }
--- a/roles/server/wireguard.nix
+++ b/roles/server/wireguard.nix
@ -0,0 +1,73 @@
+{ config, pkgs, ... }:
+
+{
+	# Set up secrets
+	age.secrets = {
+		silverPrivate.file = ../../secrets/wg/silver/serverPriv;
+		silverPhonePsk.file = ../../secrets/wg/silver/phonePsk;
+		toastPrivate.file = ../../secrets/wg/toast/serverPriv;
+		toastPhonePsk.file = ../../secrets/wg/toast/phonePsk;
+	};
+	
+	networking = {
+		# You need NAT if you want to use wireguard as a VPN
+		nat = {
+			enable = true;
+			externalInterface = "eno1";
+			internalInterfaces = [ "wg-*" ];
+		};
+
+		# Allow the wireguard port though the firewall
+		firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort];
+
+		wireguard = {
+			enable = true;
+			interfaces = {
+				vpn-silver = {
+					/*
+					I see people normally use 10.0.X.X, but I already have the muscle memory of
+					typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3 
+					peers connected at once, so a type C IP is more than enough
+					*/
+					ips = [ "192.168.10.1/24" ];
+					listenPort = 51820;
+					privateKeyFile = config.age.secrets.silverPrivate.path;
+					postSetup = ''
+						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
+					'';
+					postShutdown = ''
+						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
+					'';
+					peers = [
+						{
+							# Silver's phone
+							allowedIPs = [ "192.168.10.2" ];
+							publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic=";
+							presharedKeyFile = config.age.secrets.silverPhonePsk.path;
+						}
+					];
+				};
+				vpn-toast = {
+					ips = [ "192.168.11.1/24" ];
+					listenPort = 51821;
+					privateKeyFile = config.age.secrets.toastPrivate.path;
+					postSetup = ''
+						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
+					'';
+					postShutdown = ''
+						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
+					'';
+					peers = [
+						{
+							# My phone
+							allowedIPs = [ "192.168.11.2" ];
+							publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA=";
+							presharedKeyFile = config.age.secrets.toastPhonePsk.path;
+						}
+					];
+				};
+				
+			};
+		};
+	};
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,6 +4,13 @@ let
 in
 {
 	"ddclient-passwd".publicKeys = [ everest ];
+	"cock".publicKeys = [ everest ];
 	"syncthing/key".publicKeys = [ everest ];
 	"syncthing/cert".publicKeys = [ everest ];
+	"wg/silver/serverPriv".publicKeys = [ everest ];
+	"wg/silver/phonePriv".publicKeys = [ everest ];
+	"wg/silver/phonePsk".publicKeys = [ everest ];
+	"wg/toast/serverPriv".publicKeys = [ everest ];
+	"wg/toast/phonePriv".publicKeys = [ everest ];
+	"wg/toast/phonePsk".publicKeys = [ everest ];
 }
--- a/secrets/wg/silver/phonePriv
+++ b/secrets/wg/silver/phonePriv
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoNo4A vExPc7M17NblMkOjJCxVm6I4v6/6yYBzE6nfc9saOEc
+muXFANq6dGV+ToPwlUTkZ84wVsGqnTcCLvncmOgcbrk
+-> VN-grease (ijvp 99` (qc
+f+ZaYegYdxUu4uj7uGtIl1Pm1ipMe4gQxs57vQxYCHOYO6tejSbwI8Y8sOAzkNV0
+pv0EFylBo9Y
+--- SrPUCAPc2SmcpvPoPEK/gYJ9hn+vdplxJRMBfRSamAo
+èbºŒÆÏ¾ÒróÌá ¹ÞÞ¹?/Ýî¶â»<C3A2>ðæQ¬2D© Š½rŒr4;®º‡ÿÌâÀÀ’^ºº|æÂTã¿	{!–]ƒˆ‡ÁÛü
--- a/secrets/wg/silver/phonePsk
+++ b/secrets/wg/silver/phonePsk
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoNo4A 8YvcfWII3BKsM+V+ceoFC3XXldC0qvwnL/6ggK+Il0s
+irwDqE2NcFHU/mVlhvIt787a4EW3kmEd11d0P393zXA
+-> Wu;RC:#-grease EIrU+ a1!S.4 t Uq#Qab6^
+mpekj8nSA5jpzDm1l5VrrYxMxmcuG5Yh+ABWkv2Dn9dKuJG6E1CIcAnU+9rpP6n4
+waoAYhTnVZpcHd1qVVm1Mwlz1REymNYxYw7MVplfM3lm1jSU
+--- Q+IuFa2gerHpADs2TR/ZkULZV0rIaUvqFpoiovmbcQs
+ŽA3ý¹z·¸X‹"I¥jl•kx— uÝ7<C39D>Ï
éUhG›¡J Ö<C2A0>°{+éÄî^žq«»bL?RI‘mSÜˆ=PÔ½¸‹gq¿ÚFtJx
--- a/secrets/wg/silver/serverPriv
+++ b/secrets/wg/silver/serverPriv
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoNo4A xu8kFORPIO3cpRKruN2H3Ab8kGHKooWF+a51uvo6AnQ
+2LyysvbhXMTJ+CXZtqYksxNAH5E+fgpmtCkX0TVp1SI
+-> T$7CzH-grease ZJA,Gm
+fyYJztvSX5VrUustF3Y3XpgdmAhpMR/4
+--- S/lJcXIuerNOPN687eO9CgsLZE8/yTEGfs2GUD4H/+Y
+ÖÒµªI
+Šï
¸›¿}v'Ô'9¤FÖn•é×’Ø<E28099><W]t`kï+„°›<>xðÌl7p9/5zïÃê…CxFð¥•õFHr
--- a/secrets/wg/toast/phonePriv
+++ b/secrets/wg/toast/phonePriv
--- a/secrets/wg/toast/phonePsk
+++ b/secrets/wg/toast/phonePsk
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoNo4A LJQA1BbMRZCiasZkqUIYdEF4U8AFfHv+tiDkIfp5xV0
+YVKxaYXmLMimAjQ5N0ALSkptDcSmUafX1JPaA+lXLiU
+-> {m4@-grease o=oC?P u1g sMgp\s"
+GwnTCGHOjeG1XzcjSD/nqqY5eJRAkCIikGEIhLCLfuKqryn69mRz0mxoy7949j4j
+oSG2
+--- z6TjnxxvqB7M7IXuIEJIpQrSvtW6yUC+FJDC9e9o2rg
+Çf½Y¤RÎ"ggÇÁ¼Ù`AO;&è¹;–ÿÜÒh;'©ü(Š‡¹»ô¸‹ûuû’õÁ©³<C2A9>Ÿ¡‘jâÿöN£êwå£å<C2A3>¨FDgÜ
--- a/secrets/wg/toast/serverPriv
+++ b/secrets/wg/toast/serverPriv
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 VoNo4A Y2wquDHovRlD2P7tv+6Z+DV3uoOeqs219woSenjJGBg
+ZvHSzvAxlK2hZt41I1q4lAV3g9dg+8onphpG8V3gPM8
+-> /-grease leqR
+wT1Jyk7ceGKQlsQrNuTigKJbRLbk32r1ic/kHZnFikn1/Jx8W5t7VEVxV/qbbjM7
+2eV73hu3QR8uz/1/wwMuX9yyPX79o/BbmThqAwXR
+--- v2H9k4DcOqjtAuw7fgX2AEOnJLC8BMH5l8KPvoLxxKc
+·»’ª'Ô.òÒ|ð§^ç_|s<>ÅvÏO›¶'3@ál6eQB.3/û+žI0Ä-?ñ<>Ih¯Žà™Öîú†Ãdm{žøíðhÄ