upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-06 21:17:14 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

chore: moved wireguard config

Browse source
This commit is contained in:
Nick 2025-11-06 16:35:10 -06:00
parent 973297a2a8
commit e98394d757
13 changed files with 412 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

71
systems/ceres/config/bridge.nix Executable file
View file

@ -0,0 +1,71 @@
{
lib,
...
}:
{
# Enable systemd-networkd for bridge management
systemd.network = {
enable = true;
netdevs = {
"20-br-vms" = {
netdevConfig = {
Name = "br-vms";
Kind = "bridge";
};
bridgeConfig = {
STP = false;
};
};
};
networks = {
# Connect physical interface to bridge
"30-enp10s0" = {
matchConfig.Name = "enp10s0";
networkConfig = {
Bridge = "br-vms";
ConfigureWithoutCarrier = true;
};
linkConfig = {
RequiredForOnline = false;
};
};
# Configure bridge to get IP from LAN DHCP
"40-br-vms" = {
matchConfig.Name = "br-vms";
networkConfig = {
DHCP = "ipv4";
};
linkConfig = {
RequiredForOnline = "routable";
};
};
# VM tap interface to bridge
"50-vm-forgejo" = {
matchConfig.Name = "vm-forgejo";
networkConfig = {
Bridge = "br-vms";
ConfigureWithoutCarrier = true;
};
linkConfig = {
RequiredForOnline = false;
};
};
};
};
# Tell NetworkManager to ignore bridge and VM interfaces
networking.networkmanager.unmanaged = [
"interface-name:br-vms"
"interface-name:vm-*"
"interface-name:enp10s0"
];
# IP forwarding (needed for both bridge networking and WireGuard NAT)
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
}

15
systems/ceres/config/networking.nix
View file

@ -5,17 +5,13 @@
}:
let
inherit (flake.config.machines.devices) ceres;
inherit (flake.config.services) instances;
wireguardService = instances.wireGuard;
in
{
networking = {
hostName = ceres.name;
networkmanager = {
enable = true;
unmanaged = [
"interface-name:br-vms"
"interface-name:vm-*"
];
};
networkmanager.enable = true;
nftables.enable = true;
useDHCP = lib.mkDefault true;
firewall = {
@ -27,6 +23,11 @@ in
587 # SMTP
2525 # SMTP
9999 # NC
wireguardService.ports.port0 # WireGuard
];
allowedUDPPorts = [
wireguardService.ports.port0 # WireGuard
wireguardService.ports.port1 # WireGuard
];
};
};

62
systems/ceres/config/wireguard.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, flake, ... }:
let
inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) mars deimos ceres;
service = instances.wireGuard;
in
{
networking = {
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "enp10s0";
internalInterfaces = [
"wg0"
"br-vms"
];
};
wireguard.interfaces = {
wg0 = {
ips = [ "${ceres.wireguard.ip0}/24" ];
listenPort = service.ports.port1;
privateKeyFile = config.sops.secrets."${service.name}-private".path;
peers = [
# if you need to create a new key pair
# wg genkey | save --raw --force privatekey
# open privatekey | wg pubkey | save --raw --force publickey
{
publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
allowedIPs = [ "${mars.wireguard.ip0}/32" ];
}
{
publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
}
];
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = "root";
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"private"
"public"
]
);
};
}