diff --git a/boxes/copernicus/services/default.nix b/boxes/copernicus/services/default.nix index 740af87..777283e 100644 --- a/boxes/copernicus/services/default.nix +++ b/boxes/copernicus/services/default.nix @@ -3,5 +3,6 @@ { imports = [ ./photoprism.nix + ./wireguard.nix ]; } diff --git a/boxes/copernicus/services/wireguard.nix b/boxes/copernicus/services/wireguard.nix new file mode 100644 index 0000000..0ae3f7a --- /dev/null +++ b/boxes/copernicus/services/wireguard.nix @@ -0,0 +1,25 @@ +{ lib, config, pkgs, ... }: + +{ + networking = { + firewall.allowedUDPPorts = [ 51820 ]; + + wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.2/24" ]; + listenPort = 51820; + + privateKeyFile = "/home/usr/wg-keys/private"; + peers = [ + { # netbox + publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE="; + allowedIPs = [ "10.100.0.1" ]; # only server-bound traffic -- everything else + # should be routed via consumer isp + endpoint = "149.28.63.115:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index a79440b..720c563 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -16,6 +16,7 @@ ./fail2ban.nix ./nginx.nix ./franklincce.nix + ./wireguard.nix ]; nix = { diff --git a/boxes/netbox/wireguard.nix b/boxes/netbox/wireguard.nix new file mode 100644 index 0000000..b33fa31 --- /dev/null +++ b/boxes/netbox/wireguard.nix @@ -0,0 +1,36 @@ +{ lib, config, pkgs, ... }: + +{ + networking = { + nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = [ "wg0" ]; + }; + firewall.allowedUDPPorts = [ 51820 ]; + + wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.1/24" ]; + + listenPort = 51820; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = "/home/ryan/wg-keys/private"; + + peers = [ + { # copernicus + publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; +}