diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix index 723cca4..e1fd88a 100755 --- a/modules/config/devices/config/ceres.nix +++ b/modules/config/devices/config/ceres.nix @@ -28,7 +28,7 @@ in options = ownerExclusiveReadWriteMask; }; wireguard = { - ip0 = "10.100.0.1"; + ip0 = "10.0.0.1"; }; storage0 = { mount = "/mnt/media/${ceresStorageDriveName}"; diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix index 5ea9e56..4d14165 100755 --- a/modules/config/devices/config/mars.nix +++ b/modules/config/devices/config/mars.nix @@ -19,7 +19,7 @@ in options = ownerWriteOthersReadMask; }; wireguard = { - ip0 = "10.100.0.2"; + ip0 = "10.0.0.2"; }; storage0 = { mount = "/mnt/media/games"; diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index 06c5a69..d8b6be0 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -14,7 +14,7 @@ in path0 = "${sopsPath}/${name}"; }; ports = { - port0 = 51820; + port0 = 53; port1 = 51821; }; } diff --git a/modules/home/cli/utilities/ipTables/default.nix b/modules/home/cli/utilities/ipTables/default.nix new file mode 100644 index 0000000..a637517 --- /dev/null +++ b/modules/home/cli/utilities/ipTables/default.nix @@ -0,0 +1,11 @@ +{ + pkgs, + ... +}: +{ + home.packages = builtins.attrValues { + inherit (pkgs) + iptables + ; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 27be9b5..9f10bcb 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -18,7 +18,6 @@ in wayland searx flatpak - wireGuard ; }; }; @@ -33,7 +32,6 @@ in sddm flatpak espanso - wireGuard glance ; }; @@ -44,7 +42,6 @@ in inherit (modules) plasma sddm - wireGuard ; }; }; @@ -70,15 +67,6 @@ in }; }; - mantle = { - imports = builtins.attrValues { - inherit (modules) - sops - xserver - ; - }; - }; - crust = { imports = builtins.attrValues { inherit (modules) @@ -88,6 +76,15 @@ in }; }; + mantle = { + imports = builtins.attrValues { + inherit (modules) + sops + xserver + ; + }; + }; + core = { imports = builtins.attrValues { inherit (modules) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 5f5f689..671ed7f 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,22 +1,25 @@ -{ config, flake, ... }: +{ + config, + flake, + pkgs, + ... +}: let inherit (flake.config.services.instances) wireGuard; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; + hostIP = "${ceres.wireguard.ip0}/24"; in { networking = { firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; allowedUDPPorts = [ - 53 service.ports.port0 service.ports.port1 ]; - interfaces.wg0.allowedTCPPorts = [ - 80 - 443 - 8888 - ]; }; nat = { @@ -26,15 +29,36 @@ in internalInterfaces = [ "wg0" ]; }; - wireguard.interfaces = { + wg-quick.interfaces = { wg0 = { - ips = [ "${ceres.wireguard.ip0}/24" ]; + address = [ + hostIP + "fdc9:281f:04d7:9ee9::1/64" + ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; peers = [ { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; - allowedIPs = [ "${mars.wireguard.ip0}/32" ]; + presharedKeyFile = config.sops.secrets."${service.name}-mars-public".path; + allowedIPs = [ + "${mars.wireguard.ip0}/32" + "fdc9:281f:04d7:9ee9::2/128" + ]; } ]; }; @@ -59,6 +83,7 @@ in [ "private" "public" + "mars-public" ] ); }; diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index a55455c..b73cf4f 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -5,23 +5,29 @@ let service = wireGuard; in { - networking = { - wireguard.interfaces = { - wg0 = { - ips = [ "${mars.wireguard.ip0}/24" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "${ceres.wireguard.ip0}/32" - "192.168.1.0/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; - persistentKeepalive = 25; - } - ]; - }; + networking.wg-quick.interfaces = { + wg0 = { + address = [ + "${mars.wireguard.ip0}/24" + "fdc9:281f:04d7:9ee9::2/64" + ]; + dns = [ + "${ceres.wireguard.ip0}" + "fdc9:281f:04d7:9ee9::1" + ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + presharedKeyFile = config.sops.secrets."${service.name}-public".path; + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; }; }; @@ -43,6 +49,7 @@ in [ "mars-private" "mars-public" + "public" ] ); };