{ pkgs, config, lib, ... }: { networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; # Set up the secrets file: sops.secrets."wireguard_keys/osaka-vultr-01" = { owner = "root"; sopsFile = ../../../secrets/wireguard.yaml; }; sops.secrets."wireguard_keys/preshared_key" = { owner = "root"; sopsFile = ../../../secrets/wireguard.yaml; }; # Wireguard Forwarder boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.default.forwarding" = 1; }; networking.wireguard = { enable = true; interfaces = { "wireguard0" = { ips = [ "10.100.0.1/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01"; postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE''; postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE''; peers = [ { # nixos-rpi4-03 publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.2/32" ]; } ]; }; }; }; networking.nat = { enable = true; internalInterfaces = [ "wireguard0" ]; externalInterface = "eno3"; }; }