Add wireguard

This commit is contained in:
Julius 2021-12-22 21:23:03 +01:00
parent 5d98661202
commit a15baed033
Signed by: j00lz
GPG key ID: AF241B0AA237BBA2
7 changed files with 110 additions and 9 deletions

View file

@ -7,11 +7,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1632822684, "lastModified": 1638665590,
"narHash": "sha256-lt7eayYmgsD5OQwpb1XYfHpxttn43bWo7G7hIJs+zJw=", "narHash": "sha256-nhtfL3z4TizWHemyZvgLvq11FhYX5Ya4ke+t6Np5PKQ=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "9a02de4373e0ec272d08a417b269a28ac8b961b4", "rev": "715e92a13018bc1745fb680b5860af0c5641026a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -133,11 +133,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1636623366, "lastModified": 1640139330,
"narHash": "sha256-jOQMlv9qFSj0U66HB+ujZoapty0UbewmSNbX8+3ujUQ=", "narHash": "sha256-Nkp3wUOGwtoQ7EH28RLVJ7EqB/e0TU7VcsM7GLy+SdY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c5ed8beb478a8ca035f033f659b60c89500a3034", "rev": "81cef6b70fb5d5cdba5a0fef3f714c2dadaf0d6d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -192,11 +192,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1637273221, "lastModified": 1638383949,
"narHash": "sha256-ByBCiWlVprVgYGGy2ma7W0DKbtp4Xmj7S5whFrIzO3Q=", "narHash": "sha256-k7oMUrp1cMBj59uihyocJVqi4jbU16ycHQqGTJxH1b0=",
"owner": "serokell", "owner": "serokell",
"repo": "serokell.nix", "repo": "serokell.nix",
"rev": "1649eceabbe6e148b3c1b322b716e873d312599f", "rev": "faebe5b14155d045ae5d3f76193c8e99e664af1b",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -256,6 +256,11 @@
ip = "10.42.20.10"; ip = "10.42.20.10";
mac = "46:37:52:f3:a2:fb"; mac = "46:37:52:f3:a2:fb";
} }
{
hostname = "wireguard";
ip = "10.42.20.13";
mac = "1A:C6:89:21:85:85";
}
/* { /* {
hostname = "dhcp"; hostname = "dhcp";
ip = "10.42.42.42"; ip = "10.42.42.42";

View file

@ -0,0 +1,71 @@
{ config, pkgs, lib, ... }:
let secrets = import ./secrets.nix;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# Import common config
../../common/generic-vm.nix
../../common
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
networking.hostName = "wireguard";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
environment.systemPackages = with pkgs; [ wireguard ];
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ ];
networking.nat.enable = true;
networking.nat.externalInterface = "ens18";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.42.69.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.42.69.0/24 -o ens18 -j MASQUERADE
'';
privateKey = secrets.serverPrivate;
peers = [
{
publicKey = secrets.laptopPublic;
allowedIPs = [ "10.42.69.2/32" ];
}
{
publicKey = secrets.phonePublic;
allowedIPs = [ "10.42.69.3/32" ];
}
];
};
};
}

View file

@ -0,0 +1,25 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7085fcd5-71a0-46ed-bc9a-9642ed4b1633";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/779fe897-e5cb-49f0-903d-eb9a7f76c3c7"; }
];
}

BIN
hosts/wireguard/secrets.nix Normal file

Binary file not shown.

BIN
hosts/wireguard/secrets.txt Normal file

Binary file not shown.

BIN
secrets.nix Normal file

Binary file not shown.