upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 05:27:13 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

chore: moved wireguard config

Browse source
This commit is contained in:
Nick 2025-11-06 16:35:10 -06:00
parent 973297a2a8
commit e98394d757
13 changed files with 412 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

265
example.nix Executable file
View file

@ -0,0 +1,265 @@
# This is someone else's network config, however they use VLANs. I am not using VLANs. I'm just connecting my microVMs to the general LAN for now.
{
enable = true;
netdevs = {
"vlan-mgmt" = {
netdevConfig = {
Name = "vlan-mgmt";
Kind = "vlan";
};
vlanConfig.Id = 50;
};
"br-mgmt" = {
netdevConfig = {
Name = "br-mgmt";
Kind = "bridge";
};
};
"vlan-minio" = {
netdevConfig = {
Name = "vlan-minio";
Kind = "vlan";
};
vlanConfig.Id = 51;
};
"br-minio" = {
netdevConfig = {
Name = "br-minio";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
"vlan-forgejo" = {
netdevConfig = {
Name = "vlan-forgejo";
Kind = "vlan";
};
vlanConfig.Id = 52;
};
"br-forgejo" = {
netdevConfig = {
Name = "br-forgejo";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
"vlan-nexus" = {
netdevConfig = {
Name = "vlan-nexus";
Kind = "vlan";
};
vlanConfig.Id = 53;
};
"br-nexus" = {
netdevConfig = {
Name = "br-nexus";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
"vlan-cloud" = {
netdevConfig = {
Name = "vlan-cloud";
Kind = "vlan";
};
vlanConfig.Id = 54;
};
"br-cloud" = {
netdevConfig = {
Name = "br-cloud";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
"vlan-caddy" = {
netdevConfig = {
Name = "vlan-caddy";
Kind = "vlan";
};
vlanConfig.Id = 55;
};
"br-caddy" = {
netdevConfig = {
Name = "br-caddy";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
"vlan-website" = {
netdevConfig = {
Name = "vlan-website";
Kind = "vlan";
};
vlanConfig.Id = 56;
};
"br-website" = {
netdevConfig = {
Name = "br-website";
Kind = "bridge";
};
bridgeConfig = {
STP = true;
};
};
};
networks = {
"trunk-nic" = {
matchConfig.Name = "enp3s0f0";
vlan = [
"vlan-mgmt"
"vlan-minio"
"vlan-forgejo"
"vlan-nexus"
"vlan-cloud"
"vlan-caddy"
"vlan-website"
];
};
"vlan-mgmt-net" = {
matchConfig.Name = "vlan-mgmt";
bridge = [ "br-mgmt" ];
};
"host-on-mgmt" = {
matchConfig.Name = "br-mgmt";
networkConfig = {
Address = [ "10.0.50.2/24" ];
Gateway = "10.0.50.1";
DNS = [ "10.0.50.1" ];
};
};
"vlan-minio-net" = {
matchConfig.Name = "vlan-minio";
bridge = [ "br-minio" ];
};
"host-on-minio" = {
matchConfig.Name = "br-minio";
};
"vlan-forgejo-net" = {
matchConfig.Name = "vlan-forgejo";
bridge = [ "br-forgejo" ];
};
"host-on-forgejo" = {
matchConfig.Name = "br-forgejo";
};
"vlan-nexus-net" = {
matchConfig.Name = "vlan-nexus";
bridge = [ "br-nexus" ];
};
"host-on-nexus" = {
matchConfig.Name = "br-nexus";
};
"vlan-cloud-net" = {
matchConfig.Name = "vlan-cloud";
bridge = [ "br-cloud" ];
};
"host-on-cloud" = {
matchConfig.Name = "br-cloud";
};
"vlan-caddy-net" = {
matchConfig.Name = "vlan-caddy";
bridge = [ "br-caddy" ];
};
"host-on-caddy" = {
matchConfig.Name = "br-caddy";
};
"vlan-website-net" = {
matchConfig.Name = "vlan-website";
bridge = [ "br-website" ];
};
"host-on-website" = {
matchConfig.Name = "br-website";
};
"vm-taps-minio" = {
matchConfig = {
Name = "vm-minio";
};
networkConfig = {
Description = "minio VM tap interface";
Bridge = "br-minio";
ConfigureWithoutCarrier = true;
};
};
"vm-taps-forgejo" = {
matchConfig = {
Name = "vm-forgejo";
};
networkConfig = {
Description = "forgejo VM tap interface";
Bridge = "br-forgejo";
ConfigureWithoutCarrier = true;
};
};
# VM tap interfaces for Nexus
"vm-taps-nexus" = {
matchConfig = {
Name = "vm-nexus";
};
networkConfig = {
Description = "nexus VM tap interface";
Bridge = "br-nexus";
ConfigureWithoutCarrier = true;
};
};
"vm-taps-cloud" = {
matchConfig = {
Name = "vm-cloud";
};
networkConfig = {
Description = "cloud VM tap interface";
Bridge = "br-cloud";
ConfigureWithoutCarrier = true;
};
};
"vm-taps-caddy" = {
matchConfig = {
Name = "vm-caddy";
};
networkConfig = {
Description = "caddy VM tap interface";
Bridge = "br-caddy";
ConfigureWithoutCarrier = true;
};
};
"vm-taps-website" = {
matchConfig = {
Name = "vm-website";
};
networkConfig = {
Description = "website VM tap interface";
Bridge = "br-website";
ConfigureWithoutCarrier = true;
};
};
};
}

2
modules/config/instances/config/forgejo.nix
View file

@ -38,7 +38,7 @@ in
interface = { interface = {
id = "vm-${name}"; id = "vm-${name}";
mac = "02:00:00:00:00:50"; mac = "02:00:00:00:00:50";
idUser = "vm-${name}"; idUser = "vm-${name}-user";
macUser = "02:00:00:00:00:02"; macUser = "02:00:00:00:00:02";
ip = "192.168.50.50"; ip = "192.168.50.50";
gate = "192.168.50.2"; gate = "192.168.50.2";

3
modules/nixos/default.nix
View file

@ -15,7 +15,7 @@ in
plymouth plymouth
sddm sddm
searx searx
wireGuard wireguard
; ;
}; };
}; };
@ -67,6 +67,7 @@ in
# vaultwarden # vaultwarden
# website # website
# zookeeper # zookeeper
wireguard
; ;
}; };
}; };

11
modules/nixos/services/acme/default.nix Executable file
View file

@ -0,0 +1,11 @@
let
importList =
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
in
map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

11
modules/nixos/services/caddy/default.nix Executable file
View file

@ -0,0 +1,11 @@
let
importList =
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
in
map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

12
modules/nixos/services/forgejo/default.nix
View file

@ -123,14 +123,20 @@ in
enable = true; enable = true;
networks."10-enp" = { networks."10-enp" = {
matchConfig.Name = "enp0s4"; matchConfig.Name = "enp0s4";
# Option 1: Static IP (recommended if you need consistent IP for reverse proxy)
addresses = [ { Address = "${service.interface.ip}/24"; } ]; addresses = [ { Address = "${service.interface.ip}/24"; } ];
routes = [ routes = [
{ {
Destination = "${localhost}/0"; Destination = "0.0.0.0/0";
Gateway = service.interface.gate; Gateway = "192.168.50.1"; # Your LAN gateway - adjust if different
} }
]; ];
dns = [ service.interface.gate ]; dns = [ "192.168.50.1" ]; # Your LAN DNS - adjust if different
# Option 2: DHCP (uncomment below and comment out above if preferred)
# Note: You'll need to update the Caddy reverse_proxy IP or use hostname
# networkConfig.DHCP = "yes";
}; };
}; };
}; };

11
modules/nixos/services/ollama/default.nix Executable file
View file

@ -0,0 +1,11 @@
let
importList =
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
in
map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

11
modules/nixos/services/postgresql/default.nix Executable file
View file

@ -0,0 +1,11 @@
let
importList =
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
in
map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

11
modules/nixos/services/samba/default.nix Executable file
View file

@ -0,0 +1,11 @@
let
importList =
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
in
map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

63
modules/nixos/services/wireguard/default.nix
View file

@ -1,59 +1,13 @@
{ config, flake, ... }: { flake, ... }:
let let
inherit (flake.config.services) instances; inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) ceres; inherit (flake.config.machines.devices) ceres;
service = instances.wireGuard; service = instances.wireGuard;
wireGuardInterface =
{
secret,
publicKey,
endpoint,
}:
{
name = "Proton-${secret}";
value = {
autostart = false;
address = [ "10.2.0.2/32" ];
dns = [ "10.2.0.1" ];
privateKeyFile = config.sops.secrets."${service.name}-${secret}".path;
peers = [
{
inherit publicKey endpoint;
allowedIPs = [ "0.0.0.0/0,::/0" ];
persistentKeepalive = 25;
}
];
};
};
interfaces = [
{
secret = "CA363";
publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
endpoint = "149.88.97.110:51820";
}
{
secret = "CA220";
publicKey = "UR8vjVYrrWYadCwLKiAabKTIdxM4yikmCXnvKWm89D8=";
endpoint = "139.28.218.130:51820";
}
{
secret = "CA358";
publicKey = "9mTDh5Tku0gxDdzqxnpnzItHQBm2h2B2hXnUHvhGCFw=";
endpoint = "149.88.97.110:51820";
}
{
secret = "CA627";
publicKey = "xLFgU430Tt7PdHJydVbIKvtjXJodoPpGKW7fhF7XE2k=";
endpoint = "139.28.218.130:51820";
}
];
in in
{ {
networking = { networking = {
hosts = { hosts = {
${ceres.wireguard.ip0} = [ ${ceres.wireguard.ip0} = [
instances.searx.domains.url0
instances.glance.domains.url0
]; ];
}; };
wireguard.interfaces = { wireguard.interfaces = {
@ -72,19 +26,4 @@ in
}; };
}; };
}; };
sops.secrets =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = "root";
mode = "600";
};
in
builtins.listToAttrs (
(map (interface: {
name = "${service.name}-${interface.secret}";
value = sopsPath interface.secret;
}) interfaces)
);
} }

71
systems/ceres/config/bridge.nix Executable file
View file

@ -0,0 +1,71 @@
{
lib,
...
}:
{
# Enable systemd-networkd for bridge management
systemd.network = {
enable = true;
netdevs = {
"20-br-vms" = {
netdevConfig = {
Name = "br-vms";
Kind = "bridge";
};
bridgeConfig = {
STP = false;
};
};
};
networks = {
# Connect physical interface to bridge
"30-enp10s0" = {
matchConfig.Name = "enp10s0";
networkConfig = {
Bridge = "br-vms";
ConfigureWithoutCarrier = true;
};
linkConfig = {
RequiredForOnline = false;
};
};
# Configure bridge to get IP from LAN DHCP
"40-br-vms" = {
matchConfig.Name = "br-vms";
networkConfig = {
DHCP = "ipv4";
};
linkConfig = {
RequiredForOnline = "routable";
};
};
# VM tap interface to bridge
"50-vm-forgejo" = {
matchConfig.Name = "vm-forgejo";
networkConfig = {
Bridge = "br-vms";
ConfigureWithoutCarrier = true;
};
linkConfig = {
RequiredForOnline = false;
};
};
};
};
# Tell NetworkManager to ignore bridge and VM interfaces
networking.networkmanager.unmanaged = [
"interface-name:br-vms"
"interface-name:vm-*"
"interface-name:enp10s0"
];
# IP forwarding (needed for both bridge networking and WireGuard NAT)
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
}

15
systems/ceres/config/networking.nix
View file

@ -5,17 +5,13 @@
}: }:
let let
inherit (flake.config.machines.devices) ceres; inherit (flake.config.machines.devices) ceres;
inherit (flake.config.services) instances;
wireguardService = instances.wireGuard;
in in
{ {
networking = { networking = {
hostName = ceres.name; hostName = ceres.name;
networkmanager = { networkmanager.enable = true;
enable = true;
unmanaged = [
"interface-name:br-vms"
"interface-name:vm-*"
];
};
nftables.enable = true; nftables.enable = true;
useDHCP = lib.mkDefault true; useDHCP = lib.mkDefault true;
firewall = { firewall = {
@ -27,6 +23,11 @@ in
587 # SMTP 587 # SMTP
2525 # SMTP 2525 # SMTP
9999 # NC 9999 # NC
wireguardService.ports.port0 # WireGuard
];
allowedUDPPorts = [
wireguardService.ports.port0 # WireGuard
wireguardService.ports.port1 # WireGuard
]; ];
}; };
}; };

14
modules/nixos/services/wireguard/wireguardCeres/default.nix → systems/ceres/config/wireguard.nix
View file

@ -6,16 +6,6 @@ let
in in
{ {
networking = { networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
allowedUDPPorts = [
service.ports.port0
service.ports.port1
];
};
nat = { nat = {
enable = true; enable = true;
enableIPv6 = true; enableIPv6 = true;
@ -69,8 +59,4 @@ in
] ]
); );
}; };
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
} }