upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-08 05:49:25 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

chore: moved wireguard config

Browse source
This commit is contained in:
Nick 2025-11-06 13:03:46 -06:00
parent 402f513a8d
commit 973297a2a8
2 changed files with 0 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

90
modules/nixos/services/wireguard/default.nix Executable file
View file

@ -0,0 +1,90 @@
{ config, flake, ... }:
let
inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) ceres;
service = instances.wireGuard;
wireGuardInterface =
{
secret,
publicKey,
endpoint,
}:
{
name = "Proton-${secret}";
value = {
autostart = false;
address = [ "10.2.0.2/32" ];
dns = [ "10.2.0.1" ];
privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
peers = [
{
inherit publicKey endpoint;
allowedIPs = [ "0.0.0.0/0,::/0" ];
persistentKeepalive = 25;
}
];
};
};
interfaces = [
{
secret = "CA363";
publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
endpoint = "149.88.97.110:51820";
}
{
secret = "CA220";
publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
endpoint = "139.28.218.130:51820";
}
{
secret = "CA358";
publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
endpoint = "149.88.97.110:51820";
}
{
secret = "CA627";
publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
endpoint = "139.28.218.130:51820";
}
];
in
{
networking = {
hosts = {
${ceres.wireguard.ip0} = [
instances.searx.domains.url0
instances.glance.domains.url0
];
};
wireguard.interfaces = {
wg0 = {
peers = [
{
publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
allowedIPs = [
"${ceres.wireguard.ip0}/32"
"${instances.web.localhost.address4}/24"
];
endpoint = "${instances.web.remotehost.address0}:${builtins.toString service.ports.port1}";
persistentKeepalive = 25;
}
];
};
};
};
sops.secrets =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = "root";
mode = "600";
};
in
builtins.listToAttrs (
(map (interface: {
name = "${service.name}-${interface.secret}";
value = sopsPath interface.secret;
}) interfaces)
);
}

76
modules/nixos/services/wireguard/wireguardCeres/default.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, flake, ... }:
let
inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) mars deimos ceres;
service = instances.wireGuard;
in
{
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
allowedUDPPorts = [
service.ports.port0
service.ports.port1
];
};
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "enp10s0";
internalInterfaces = [
"wg0"
"br-vms"
];
};
wireguard.interfaces = {
wg0 = {
ips = [ "${ceres.wireguard.ip0}/24" ];
listenPort = service.ports.port1;
privateKeyFile = config.sops.secrets."${service.name}-private".path;
peers = [
# if you need to create a new key pair
# wg genkey | save --raw --force privatekey
# open privatekey | wg pubkey | save --raw --force publickey
{
publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
allowedIPs = [ "${mars.wireguard.ip0}/32" ];
}
{
publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
}
];
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = "root";
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"private"
"public"
]
);
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
}