albert/nix
albert/nix
1
0
Fork 0
Code Issues Pull requests Activity Actions

Update wireguard

Browse source
This commit is contained in:
albert 2025-02-24 12:46:26 -08:00
parent 3f9ff35d9b
commit 465b4441f6
Signed by: albert
GPG key ID: 3895DD267CA11BA9
10 changed files with 28 additions and 122 deletions
nixos/hosts
backups-rpi4
wireguard.nix
framework-server
default.nixwireguard.nix
framework13
hibernate.nix
frankfurt-linode-01
wireguard.nix
milan-linode-01
default.nix
osaka-linode-01
default.nixfirewall.nixwireguard.nix
warsaw-ovh-01
wireguard.nix

20
nixos/hosts/backups-rpi4/wireguard.nix
View file

@ -1,11 +1,9 @@
{ pkgs, config, lib, ... }: {
{ ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01
10.100.0.2 framework-server-wg
10.100.0.3 backups-rpi4
10.100.0.4 frankfurt-linode-01
10.100.0.3 backups-rpi4-wg
10.100.0.4 frankfurt-linode-01-wg
'';
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
@ -21,7 +19,6 @@
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
@ -29,23 +26,14 @@
ips = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
# Testing
peers = [
{ # osaka-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
{ # frankfurt-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.4/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
];
};
};

2
nixos/hosts/framework-server/default.nix
View file

@ -10,7 +10,7 @@
../../common/services/docker.nix
../../common/services/tailscale-autoconnect.nix
../../common/services/forgejo-runner.nix
../../common/services/syncthing.nix
../../common/services/syncthing/default.nix
# Disabling -- I don't know why but this all of a sudden breaks Headscale.
# Sep 12 2024
# ../../common/modules/fail2ban/traefik.nix

20
nixos/hosts/framework-server/wireguard.nix
View file

@ -2,7 +2,6 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01-wg
10.100.0.2 framework-server-wg
10.100.0.4 frankfurt-linode-01-wg
'';
@ -21,27 +20,20 @@
# Wireguard Forwarder
networking.wireguard = {
enable = true;
enable = false;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
peers = [
{ # osaka-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
peers = [
{ # frankfurt-linode-01
publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "172.234.84.222:51820"; # osaka-linode-01
allowedIPs = [ "10.100.0.4/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
# { # frankfurt-linode-01
# publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
# presharedKeyFile = "/run/secrets/preshared_key";
# persistentKeepalive = 5;
# allowedIPs = [ "10.100.0.4/32" ];
# endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
# }
];
};
};

4
nixos/hosts/framework13/hibernate.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
let
hibernateEnvironment = {
@ -43,4 +43,4 @@ in {
serviceConfig.Type = "simple";
};
}
}

2
nixos/hosts/frankfurt-linode-01/wireguard.nix
View file

@ -2,8 +2,8 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01-wg
10.100.0.3 backups-rpi4-wg
10.100.0.2 warsaw-ovh-01-wg
10.100.0.4 frankfurt-linode-01-wg
'';

2
nixos/hosts/milan-linode-01/default.nix
View file

@ -2,8 +2,8 @@
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
../../common/services/tailscale-autoconnect.nix
./firewall.nix
../../common/services/docker.nix
./firewall.nix
(import ../../common/containers/derp.nix { domainName = "milan.sysctl.io"; })
];

2
nixos/hosts/osaka-linode-01/default.nix
View file

@ -4,8 +4,6 @@
(import ../../common/containers/derp.nix { domainName = "osaka.sysctl.io"; })
../../common/services/tailscale-autoconnect.nix
../../common/services/docker.nix
./firewall.nix
./wireguard.nix
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];

13
nixos/hosts/osaka-linode-01/firewall.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }: {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
1443 # Headscale DERP (tcp)
];
allowedUDPPorts = [
3478 # Headscale DERP (udp)
];
};
};
}

77
nixos/hosts/osaka-linode-01/wireguard.nix
View file

@ -1,77 +0,0 @@
{ hostname, pkgs, ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01-wg
10.100.0.3 backups-rpi4-wg
10.100.0.4 frankfurt-linode-01-wg
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
# Set up the secrets file:
sops.secrets."wireguard_key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/${hostname}.yaml;
};
sops.secrets."preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = 1;
"net.ipv4.conf.default.forwarding" = 1;
};
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [
"10.100.0.1/24"
"10.100.1.1/24"
];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
peers = [
{ # framework-server / ovh-server
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.0.2/32" ];
persistentKeepalive = 5;
}
{ # backups-rpi4
publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.0.3/32" ];
persistentKeepalive = 5;
}
{ # framewrk-server docker:wg-enshrouded
publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.1.2/32" ];
persistentKeepalive = 5;
}
{ # framewrk-server docker:wg-mailserver
publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.1.3/32" ];
persistentKeepalive = 5;
}
{ # framework-server docker:wg-vintage-story
publicKey = "ooDzRceUrh/Ie8pjkOEPZ3ge/GJrj/+lVzzdnybC0jY=";
presharedKeyFile = "/run/secrets/preshared_key";
allowedIPs = [ "10.100.1.5/32" ];
persistentKeepalive = 5;
}
];
};
};
};
}

8
nixos/hosts/warsaw-ovh-01/wireguard.nix
View file

@ -2,7 +2,6 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01-wg
10.100.0.2 warsaw-ovh-01-wg
10.100.0.4 frankfurt-linode-01-wg
'';
@ -28,13 +27,6 @@
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
peers = [
# { # osaka-linode-01
# publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
# presharedKeyFile = "/run/secrets/preshared_key";
# persistentKeepalive = 5;
# allowedIPs = [ "10.100.0.1/32" ];
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
# }
{ # frankfurt-linode-01
publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";