From b04a752443382d0f38166a6d40450fc675a0e513 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 12:35:02 -0500 Subject: [PATCH 01/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index c6ad71b..f0f037a 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -47,8 +47,9 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip 10.100.0.2 + remote_ip 10.100.0.0/24 } + handle @allowed_ips { redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 From f240fddd731cb928fab388fd55a72381592b6921 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 12:40:17 -0500 Subject: [PATCH 02/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index f0f037a..2f2cbeb 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -5,7 +5,7 @@ ... }: let - inherit (flake.config.machines.devices) ceres; + inherit (flake.config.machines.devices) ceres mars; inherit (flake.config.services.instances) searx web; configHelpers = { service = searx; @@ -47,7 +47,7 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip 10.100.0.0/24 + remote_ip ${mars.wireguard.ip0} } handle @allowed_ips { From 3ffa8c9db0e7138635b2ef4560f70809b04cc3f3 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 12:46:52 -0500 Subject: [PATCH 03/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 2f2cbeb..8158ce1 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -47,17 +47,14 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} - } - - handle @allowed_ips { - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} - } - handle { - respond "Access Denied" 403 - } + remote_ip ${mars.wireguard.ip0} + } + handle @allowed_ips { + reverse_proxy unix//run/searx/searx.sock + } + handle { + respond "Access Denied" 403 + } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; }; From 93366c81c82aef4e9d103c39ceb28e0cc1e83dab Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 12:49:22 -0500 Subject: [PATCH 04/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 8158ce1..52fc279 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -47,14 +47,14 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} - } - handle @allowed_ips { - reverse_proxy unix//run/searx/searx.sock - } - handle { - respond "Access Denied" 403 - } + remote_ip ${mars.wireguard.ip0} + } + handle @allowed_ips { + reverse_proxy unix//run/searx/searx.sock + } + handle { + respond "Access Denied" 403 + } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; }; From c6ea7171814b8f9490311e833c2085675fc832a4 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 13:54:00 -0500 Subject: [PATCH 05/17] feat: wireguard test --- modules/config/instances/config/wireGuard.nix | 3 +- .../nixos/services/searx/config/engines.nix | 0 .../nixos/services/searx/config/general.nix | 0 .../nixos/services/searx/config/outgoing.nix | 0 .../nixos/services/searx/config/plugins.nix | 0 .../nixos/services/searx/config/search.nix | 0 .../nixos/services/searx/config/server.nix | 0 modules/nixos/services/searx/config/ui.nix | 0 modules/nixos/services/searx/default.nix | 5 ++- systems/ceres/config/wireguard.nix | 7 ++-- systems/mars/config/wireguard.nix | 33 +++++++++---------- 11 files changed, 26 insertions(+), 22 deletions(-) mode change 100644 => 100755 modules/nixos/services/searx/config/engines.nix mode change 100644 => 100755 modules/nixos/services/searx/config/general.nix mode change 100644 => 100755 modules/nixos/services/searx/config/outgoing.nix mode change 100644 => 100755 modules/nixos/services/searx/config/plugins.nix mode change 100644 => 100755 modules/nixos/services/searx/config/search.nix mode change 100644 => 100755 modules/nixos/services/searx/config/server.nix mode change 100644 => 100755 modules/nixos/services/searx/config/ui.nix mode change 100644 => 100755 systems/ceres/config/wireguard.nix diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index 4a8ed16..06c5a69 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -14,6 +14,7 @@ in path0 = "${sopsPath}/${name}"; }; ports = { - port0 = 51821; + port0 = 51820; + port1 = 51821; }; } diff --git a/modules/nixos/services/searx/config/engines.nix b/modules/nixos/services/searx/config/engines.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/general.nix b/modules/nixos/services/searx/config/general.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/outgoing.nix b/modules/nixos/services/searx/config/outgoing.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/plugins.nix b/modules/nixos/services/searx/config/plugins.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/search.nix b/modules/nixos/services/searx/config/search.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/services/searx/config/server.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/config/ui.nix b/modules/nixos/services/searx/config/ui.nix old mode 100644 new mode 100755 diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 52fc279..2f2cbeb 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -49,8 +49,11 @@ in @allowed_ips { remote_ip ${mars.wireguard.ip0} } + handle @allowed_ips { - reverse_proxy unix//run/searx/searx.sock + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} } handle { respond "Access Denied" 403 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix old mode 100644 new mode 100755 index 8547055..5f5f689 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,6 +1,6 @@ { config, flake, ... }: let - inherit (flake.config.services.instances) wireGuard web; + inherit (flake.config.services.instances) wireGuard; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; in @@ -10,11 +10,12 @@ in allowedUDPPorts = [ 53 service.ports.port0 + service.ports.port1 ]; interfaces.wg0.allowedTCPPorts = [ 80 443 - 8080 + 8888 ]; }; @@ -28,7 +29,7 @@ in wireguard.interfaces = { wg0 = { ips = [ "${ceres.wireguard.ip0}/24" ]; - listenPort = service.ports.port0; + listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; peers = [ { diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index b0d279b..847f3bf 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -1,27 +1,26 @@ { config, flake, ... }: let inherit (flake.config.services.instances) wireGuard web; - inherit (flake.config.machines.devices) mars; + inherit (flake.config.machines.devices) ceres mars; service = wireGuard; in { networking = { - wg-quick.interfaces = { - wg0 = { - address = [ "${mars.wireguard.ip0}/24" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "10.100.0.0/24" - "192.168.1.0/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port0}"; - persistentKeepalive = 25; - } - ]; - }; + wireguard.interfaces.wg0 = { + ips = [ "${mars.wireguard.ip0}/24" ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + allowedIPs = [ + "10.100.0.0/24" + "${ceres.wireguard.ip0}/24" + "192.168.1.0/24" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; }; }; From c6c3e4b3a40fb59c728dd31eb918921327a21a44 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 14:14:51 -0500 Subject: [PATCH 06/17] feat: wireguard test --- .../nixos/services/searx/config/server.nix | 3 +- systems/ceres/config/wireguard.nix | 2 +- systems/mars/config/wireguard.nix | 31 ++++++++++--------- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/services/searx/config/server.nix index b8fbb7d..9ed9cc8 100755 --- a/modules/nixos/services/searx/config/server.nix +++ b/modules/nixos/services/searx/config/server.nix @@ -9,7 +9,8 @@ let in { port = configHelpers.service.ports.port0; - bind_address = ceres.wireguard.ip0; + bind_address = + if configHelpers.hostname == ceres.name then ceres.wireguard.ip0 else configHelpers.localhost; secret_key = config.sops.secrets.searx-key.path; limiter = false; public_instance = false; diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 5f5f689..948588f 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -28,7 +28,7 @@ in wireguard.interfaces = { wg0 = { - ips = [ "${ceres.wireguard.ip0}/24" ]; + ips = [ "${ceres.wireguard.ip0}/32" ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; peers = [ diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index 847f3bf..c3bb1fa 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -6,21 +6,22 @@ let in { networking = { - wireguard.interfaces.wg0 = { - ips = [ "${mars.wireguard.ip0}/24" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "10.100.0.0/24" - "${ceres.wireguard.ip0}/24" - "192.168.1.0/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; - persistentKeepalive = 25; - } - ]; + wireguard.interfaces = { + wg0 = { + ips = [ "${mars.wireguard.ip0}/32" ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + allowedIPs = [ + "${ceres.wireguard.ip0}/32" + "192.168.1.0/24" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; + }; }; }; From 9c8890926edd7999aa90f1c604e9bed70c58b0f9 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 14:51:22 -0500 Subject: [PATCH 07/17] feat: wireguard test --- systems/ceres/config/wireguard.nix | 2 +- systems/mars/config/wireguard.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 948588f..5f5f689 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -28,7 +28,7 @@ in wireguard.interfaces = { wg0 = { - ips = [ "${ceres.wireguard.ip0}/32" ]; + ips = [ "${ceres.wireguard.ip0}/24" ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; peers = [ diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index c3bb1fa..a55455c 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -8,7 +8,7 @@ in networking = { wireguard.interfaces = { wg0 = { - ips = [ "${mars.wireguard.ip0}/32" ]; + ips = [ "${mars.wireguard.ip0}/24" ]; privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; peers = [ { From 6fb7b5504d0b8bf968fe0170bbe15029bcbb902b Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 15:39:57 -0500 Subject: [PATCH 08/17] feat: wireguard test --- modules/config/devices/config/ceres.nix | 2 +- modules/config/devices/config/mars.nix | 2 +- modules/config/instances/config/wireGuard.nix | 2 +- .../home/cli/utilities/ipTables/default.nix | 11 +++++ modules/nixos/default.nix | 21 ++++----- systems/ceres/config/wireguard.nix | 45 ++++++++++++++----- systems/mars/config/wireguard.nix | 41 ++++++++++------- 7 files changed, 82 insertions(+), 42 deletions(-) create mode 100644 modules/home/cli/utilities/ipTables/default.nix diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix index 723cca4..e1fd88a 100755 --- a/modules/config/devices/config/ceres.nix +++ b/modules/config/devices/config/ceres.nix @@ -28,7 +28,7 @@ in options = ownerExclusiveReadWriteMask; }; wireguard = { - ip0 = "10.100.0.1"; + ip0 = "10.0.0.1"; }; storage0 = { mount = "/mnt/media/${ceresStorageDriveName}"; diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix index 5ea9e56..4d14165 100755 --- a/modules/config/devices/config/mars.nix +++ b/modules/config/devices/config/mars.nix @@ -19,7 +19,7 @@ in options = ownerWriteOthersReadMask; }; wireguard = { - ip0 = "10.100.0.2"; + ip0 = "10.0.0.2"; }; storage0 = { mount = "/mnt/media/games"; diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index 06c5a69..d8b6be0 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -14,7 +14,7 @@ in path0 = "${sopsPath}/${name}"; }; ports = { - port0 = 51820; + port0 = 53; port1 = 51821; }; } diff --git a/modules/home/cli/utilities/ipTables/default.nix b/modules/home/cli/utilities/ipTables/default.nix new file mode 100644 index 0000000..a637517 --- /dev/null +++ b/modules/home/cli/utilities/ipTables/default.nix @@ -0,0 +1,11 @@ +{ + pkgs, + ... +}: +{ + home.packages = builtins.attrValues { + inherit (pkgs) + iptables + ; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 27be9b5..9f10bcb 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -18,7 +18,6 @@ in wayland searx flatpak - wireGuard ; }; }; @@ -33,7 +32,6 @@ in sddm flatpak espanso - wireGuard glance ; }; @@ -44,7 +42,6 @@ in inherit (modules) plasma sddm - wireGuard ; }; }; @@ -70,15 +67,6 @@ in }; }; - mantle = { - imports = builtins.attrValues { - inherit (modules) - sops - xserver - ; - }; - }; - crust = { imports = builtins.attrValues { inherit (modules) @@ -88,6 +76,15 @@ in }; }; + mantle = { + imports = builtins.attrValues { + inherit (modules) + sops + xserver + ; + }; + }; + core = { imports = builtins.attrValues { inherit (modules) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 5f5f689..671ed7f 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,22 +1,25 @@ -{ config, flake, ... }: +{ + config, + flake, + pkgs, + ... +}: let inherit (flake.config.services.instances) wireGuard; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; + hostIP = "${ceres.wireguard.ip0}/24"; in { networking = { firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; allowedUDPPorts = [ - 53 service.ports.port0 service.ports.port1 ]; - interfaces.wg0.allowedTCPPorts = [ - 80 - 443 - 8888 - ]; }; nat = { @@ -26,15 +29,36 @@ in internalInterfaces = [ "wg0" ]; }; - wireguard.interfaces = { + wg-quick.interfaces = { wg0 = { - ips = [ "${ceres.wireguard.ip0}/24" ]; + address = [ + hostIP + "fdc9:281f:04d7:9ee9::1/64" + ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; peers = [ { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; - allowedIPs = [ "${mars.wireguard.ip0}/32" ]; + presharedKeyFile = config.sops.secrets."${service.name}-mars-public".path; + allowedIPs = [ + "${mars.wireguard.ip0}/32" + "fdc9:281f:04d7:9ee9::2/128" + ]; } ]; }; @@ -59,6 +83,7 @@ in [ "private" "public" + "mars-public" ] ); }; diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index a55455c..b73cf4f 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -5,23 +5,29 @@ let service = wireGuard; in { - networking = { - wireguard.interfaces = { - wg0 = { - ips = [ "${mars.wireguard.ip0}/24" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "${ceres.wireguard.ip0}/32" - "192.168.1.0/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; - persistentKeepalive = 25; - } - ]; - }; + networking.wg-quick.interfaces = { + wg0 = { + address = [ + "${mars.wireguard.ip0}/24" + "fdc9:281f:04d7:9ee9::2/64" + ]; + dns = [ + "${ceres.wireguard.ip0}" + "fdc9:281f:04d7:9ee9::1" + ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + presharedKeyFile = config.sops.secrets."${service.name}-public".path; + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; }; }; @@ -43,6 +49,7 @@ in [ "mars-private" "mars-public" + "public" ] ); }; From 8b9ece1b4ec108f58e65af362206ba53dc43fb4d Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 15:41:16 -0500 Subject: [PATCH 09/17] feat: wireguard test --- systems/mars/config/wireguard.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index b73cf4f..d8240d9 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -21,6 +21,7 @@ in publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; presharedKeyFile = config.sops.secrets."${service.name}-public".path; allowedIPs = [ + "192.168.1.0/24" "0.0.0.0/0" "::/0" ]; From 1d9097408cd3878ff170961b1423925d6dc9eab4 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:08:54 -0500 Subject: [PATCH 10/17] feat: wireguard test --- modules/config/devices/config/ceres.nix | 2 +- modules/config/devices/config/mars.nix | 2 +- modules/config/instances/config/web.nix | 1 + systems/ceres/config/wireguard.nix | 36 +++------------------ systems/mars/config/wireguard.nix | 42 ++++++++++--------------- 5 files changed, 24 insertions(+), 59 deletions(-) diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix index e1fd88a..723cca4 100755 --- a/modules/config/devices/config/ceres.nix +++ b/modules/config/devices/config/ceres.nix @@ -28,7 +28,7 @@ in options = ownerExclusiveReadWriteMask; }; wireguard = { - ip0 = "10.0.0.1"; + ip0 = "10.100.0.1"; }; storage0 = { mount = "/mnt/media/${ceresStorageDriveName}"; diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix index 4d14165..5ea9e56 100755 --- a/modules/config/devices/config/mars.nix +++ b/modules/config/devices/config/mars.nix @@ -19,7 +19,7 @@ in options = ownerWriteOthersReadMask; }; wireguard = { - ip0 = "10.0.0.2"; + ip0 = "10.100.0.2"; }; storage0 = { mount = "/mnt/media/games"; diff --git a/modules/config/instances/config/web.nix b/modules/config/instances/config/web.nix index 590f58b..4f8a1c9 100755 --- a/modules/config/instances/config/web.nix +++ b/modules/config/instances/config/web.nix @@ -22,6 +22,7 @@ in address1 = "0.0.0.0"; # All address2 = "192.168.50.1"; # Router address3 = "192.168.50.0"; # Router + address4 = "192.168.1.0"; # Router }; remotehost = { address0 = "24.76.173.0"; diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 671ed7f..0da0033 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,14 +1,8 @@ -{ - config, - flake, - pkgs, - ... -}: +{ config, flake, ... }: let inherit (flake.config.services.instances) wireGuard; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; - hostIP = "${ceres.wireguard.ip0}/24"; in { networking = { @@ -29,36 +23,15 @@ in internalInterfaces = [ "wg0" ]; }; - wg-quick.interfaces = { + wireguard.interfaces = { wg0 = { - address = [ - hostIP - "fdc9:281f:04d7:9ee9::1/64" - ]; + ips = [ "${ceres.wireguard.ip0}/24" ]; listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE - ''; - - # Undo the above - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${hostIP} -o eth0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE - ''; peers = [ { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; - presharedKeyFile = config.sops.secrets."${service.name}-mars-public".path; - allowedIPs = [ - "${mars.wireguard.ip0}/32" - "fdc9:281f:04d7:9ee9::2/128" - ]; + allowedIPs = [ "${mars.wireguard.ip0}/32" ]; } ]; }; @@ -83,7 +56,6 @@ in [ "private" "public" - "mars-public" ] ); }; diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index d8240d9..2ae6428 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -5,30 +5,23 @@ let service = wireGuard; in { - networking.wg-quick.interfaces = { - wg0 = { - address = [ - "${mars.wireguard.ip0}/24" - "fdc9:281f:04d7:9ee9::2/64" - ]; - dns = [ - "${ceres.wireguard.ip0}" - "fdc9:281f:04d7:9ee9::1" - ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - presharedKeyFile = config.sops.secrets."${service.name}-public".path; - allowedIPs = [ - "192.168.1.0/24" - "0.0.0.0/0" - "::/0" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; - persistentKeepalive = 25; - } - ]; + networking = { + wireguard.interfaces = { + wg0 = { + ips = [ "${mars.wireguard.ip0}/32" ]; + privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + peers = [ + { + publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; + allowedIPs = [ + "${ceres.wireguard.ip0}/32" + "${web.localhost.address4}/24" + ]; + endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; + persistentKeepalive = 25; + } + ]; + }; }; }; @@ -50,7 +43,6 @@ in [ "mars-private" "mars-public" - "public" ] ); }; From 9c69449a550b2693d112bc488f80e9dd3107afb7 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:15:28 -0500 Subject: [PATCH 11/17] feat: wireguard test --- systems/ceres/config/wireguard.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 0da0033..4b4415b 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -11,6 +11,7 @@ in service.ports.port0 ]; allowedUDPPorts = [ + 8888 service.ports.port0 service.ports.port1 ]; From 67892565eb503cfc9208c30d15ffd197c2a0e1b5 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:17:21 -0500 Subject: [PATCH 12/17] feat: wireguard test --- systems/ceres/config/wireguard.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 4b4415b..fd117e7 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,6 +1,6 @@ { config, flake, ... }: let - inherit (flake.config.services.instances) wireGuard; + inherit (flake.config.services.instances) wireGuard searx; inherit (flake.config.machines.devices) mars ceres; service = wireGuard; in @@ -15,6 +15,9 @@ in service.ports.port0 service.ports.port1 ]; + interfaces.wg0.allowedTCPPorts = [ + searx.ports.port0 + ]; }; nat = { From 1c4228ad6059eb301621319db60bbdb8347e30ea Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:20:32 -0500 Subject: [PATCH 13/17] feat: wireguard test --- systems/ceres/config/wireguard.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index fd117e7..466ebf5 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -11,7 +11,6 @@ in service.ports.port0 ]; allowedUDPPorts = [ - 8888 service.ports.port0 service.ports.port1 ]; From baa7cfc6f807787047de44f1995e70936d572469 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:23:37 -0500 Subject: [PATCH 14/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 2f2cbeb..550b007 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -56,7 +56,7 @@ in reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} } handle { - respond "Access Denied" 403 + respond "Your IP: {remote_host}" 200 } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; From d7360e2e63b41c26487d52a913fe99745d0e9fba Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:26:05 -0500 Subject: [PATCH 15/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 550b007..64237ba 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -47,7 +47,7 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} + remote_ip ${mars.wireguard.ip0} 192.168.50.1 } handle @allowed_ips { From f9e0ffb4003de01ac792136d36ba9cfd74466b51 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 16:37:21 -0500 Subject: [PATCH 16/17] feat: wireguard test --- modules/nixos/services/searx/default.nix | 4 ++-- systems/mars/config/wireguard.nix | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 64237ba..2f2cbeb 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -47,7 +47,7 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} 192.168.50.1 + remote_ip ${mars.wireguard.ip0} } handle @allowed_ips { @@ -56,7 +56,7 @@ in reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} } handle { - respond "Your IP: {remote_host}" 200 + respond "Access Denied" 403 } tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} ''; diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index 2ae6428..fd2302b 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -16,6 +16,7 @@ in allowedIPs = [ "${ceres.wireguard.ip0}/32" "${web.localhost.address4}/24" + "${web.remotehost.address0}/32" ]; endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; persistentKeepalive = 25; From d73b1c5abe2da061aae8d3fdac3829106a8492a1 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 1 Jul 2025 17:13:29 -0500 Subject: [PATCH 17/17] feat: wireguard test --- modules/home/cli/utilities/dig/default.nix | 11 +++++++++++ systems/mars/config/wireguard.nix | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 modules/home/cli/utilities/dig/default.nix diff --git a/modules/home/cli/utilities/dig/default.nix b/modules/home/cli/utilities/dig/default.nix new file mode 100644 index 0000000..2f9ca19 --- /dev/null +++ b/modules/home/cli/utilities/dig/default.nix @@ -0,0 +1,11 @@ +{ + pkgs, + ... +}: +{ + home.packages = builtins.attrValues { + inherit (pkgs) + dig + ; + }; +} diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index fd2302b..74df4bc 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -1,11 +1,15 @@ { config, flake, ... }: let inherit (flake.config.services.instances) wireGuard web; + inherit (flake.config.services) instances; inherit (flake.config.machines.devices) ceres mars; service = wireGuard; in { networking = { + hosts = { + ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; + }; wireguard.interfaces = { wg0 = { ips = [ "${mars.wireguard.ip0}/32" ]; @@ -16,7 +20,6 @@ in allowedIPs = [ "${ceres.wireguard.ip0}/32" "${web.localhost.address4}/24" - "${web.remotehost.address0}/32" ]; endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; persistentKeepalive = 25;