stupid wireguard configuration

2024-10-27 22:59:13 -05:00 · 2024-10-27 22:59:13 -05:00 · 55cb186947
parent 8478a2f7cc
commit 55cb186947
5 changed files with 82 additions and 7 deletions
--- a/boxes/copernicus/default.nix
+++ b/boxes/copernicus/default.nix
@ -107,13 +107,26 @@
    hostName = "copernicus";
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 6000 ];
+      interfaces = {
-      allowedTCPPortRanges = [
+        eno1 = {
-        { from = 1714; to = 1764; } # KDE Connect
+          allowedTCPPorts = [ 6000 ];
-      ];
+          allowedTCPPortRanges = [
-      allowedUDPPortRanges = [
+            { from = 1714; to = 1764; } # KDE Connect
-        { from = 1714; to = 1764; } # KDE Connect
+          ];
-      ];
+          allowedUDPPortRanges = [
            { from = 1714; to = 1764; } # KDE Connect
          ];
        };
        wg0 = {
          # allow everything bound to the wg0 interface
          allowedTCPPortRanges = [
            { from = 1; to = 35565; }
          ];
          allowedUDPPortRanges = [
            { from = 1; to = 35565; }
          ];
        };
      };
    };
  };
--- a/boxes/copernicus/services/default.nix
+++ b/boxes/copernicus/services/default.nix
@ -3,5 +3,6 @@
 {
  imports = [
    ./photoprism.nix
    ./wireguard.nix
  ];
 }
--- a/boxes/copernicus/services/wireguard.nix
+++ b/boxes/copernicus/services/wireguard.nix
@ -0,0 +1,24 @@
 { lib, config, pkgs, ... }:
 {
  networking = {
    firewall.allowedUDPPorts = [ 51820 ];
    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.2/24" ];
        listenPort = 51820;
        privateKeyFile = "/home/usr/wg-keys/private";
        peers = [
          { # netbox
            publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
            allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*)
            endpoint = "149.28.63.115:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/boxes/netbox/default.nix
+++ b/boxes/netbox/default.nix
@ -16,6 +16,7 @@
      ./fail2ban.nix
      ./nginx.nix
      ./franklincce.nix
      ./wireguard.nix
    ];
  nix = {
--- a/boxes/netbox/wireguard.nix
+++ b/boxes/netbox/wireguard.nix
@ -0,0 +1,36 @@
 { lib, config, pkgs, ... }:
 {
  networking = {
    nat = {
      enable = true;
      externalInterface = "eth0";
      internalInterfaces = [ "wg0" ];
    };
    firewall.allowedUDPPorts = [ 51820 ];
    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        privateKeyFile = "/home/ryan/wg-keys/private";
        peers = [
          { # copernicus
            publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };
  };
 }