diff options
| author | Mel <mel@rnrd.eu> | 2025-07-27 22:26:57 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-07-27 22:28:12 +0200 |
| commit | a01e36caae6da9502c470e3be37fb43db27d5caf (patch) | |
| tree | d00f7be796ab6cb19768761bf95335ce78795e75 | |
| parent | 519d8ec24f9447c7a922353dde07f7abe2895d75 (diff) | |
| download | network-a01e36caae6da9502c470e3be37fb43db27d5caf.tar.zst network-a01e36caae6da9502c470e3be37fb43db27d5caf.zip | |
Configure zibeline WireGuard VPN server
Signed-off-by: Mel <mel@rnrd.eu>
| -rw-r--r-- | machines/taupe/default.nix | 7 | ||||
| -rw-r--r-- | machines/zibeline/default.nix | 5 | ||||
| -rw-r--r-- | modules/foundation/default.nix | 1 | ||||
| -rw-r--r-- | modules/foundation/wireguard.nix | 117 | ||||
| -rw-r--r-- | modules/wireguard.nix | 81 | ||||
| -rw-r--r-- | secrets/secrets.nix | 2 | ||||
| -rw-r--r-- | secrets/wireguard-private-key.age | bin | 917 -> 1027 bytes |
7 files changed, 130 insertions, 83 deletions
diff --git a/machines/taupe/default.nix b/machines/taupe/default.nix index 0c2f025..643c939 100644 --- a/machines/taupe/default.nix +++ b/machines/taupe/default.nix @@ -6,8 +6,6 @@ ./hardware.nix ./devices.nix - - ../../modules/wireguard.nix ]; foundation = { @@ -24,6 +22,11 @@ "base" ]; }; + + wireguard.server = { + enable = true; + externalInterface = "enp1s0"; + }; }; system.stateVersion = "25.05"; diff --git a/machines/zibeline/default.nix b/machines/zibeline/default.nix index c35154c..8d870b5 100644 --- a/machines/zibeline/default.nix +++ b/machines/zibeline/default.nix @@ -22,6 +22,11 @@ "tailnet" ]; }; + + wireguard.server = { + enable = true; + externalInterface = "eth0"; + }; }; system.stateVersion = "25.05"; diff --git a/modules/foundation/default.nix b/modules/foundation/default.nix index fbcb2f8..81140b3 100644 --- a/modules/foundation/default.nix +++ b/modules/foundation/default.nix @@ -4,6 +4,7 @@ imports = [ ./services.nix ./tailnet.nix + ./wireguard.nix ./monitoring ./www ]; diff --git a/modules/foundation/wireguard.nix b/modules/foundation/wireguard.nix new file mode 100644 index 0000000..110a2a4 --- /dev/null +++ b/modules/foundation/wireguard.nix @@ -0,0 +1,117 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + inherit (pkgs) iptables; + + inherit (lib) + mkIf + mkEnableOption + mkOption + ; + + cfg = config.foundation.wireguard; + + # TODO: we might want to configure these through options? + + wireguardPort = 51820; + wireguardIPv4 = number: subnet: "10.123.10.${number}/${subnet}"; + wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}"; + + wireguardInterface = "wg0"; + + peerIPs = peerNumber: [ + (wireguardIPv4 peerNumber "32") + (wireguardIPv6 peerNumber "128") + ]; + + peers = [ + # mel + { + publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; + allowedIPs = peerIPs "2"; + } + + # andrei + { + publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; + allowedIPs = peerIPs "3"; + } + + # sergo + { + publicKey = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y="; + allowedIPs = peerIPs "4"; + } + ]; +in +{ + options.foundation.wireguard = { + server = { + enable = mkEnableOption "wireguard vpn server"; + + externalInterface = mkOption { + type = lib.types.string; + default = "eth0"; + }; + }; + }; + + config = mkIf cfg.server.enable { + age.secrets.wireguard-private-key = { + file = ../../secrets/wireguard-private-key.age; + }; + + # enable nat, to rename internal wireguard ips to external ip (w/ iptables) + networking = { + nat = { + enable = true; + internalInterfaces = [ wireguardInterface ]; + inherit (cfg.server) externalInterface; + }; + + firewall = { + allowedUDPPorts = [ wireguardPort ]; + }; + }; + + # enable kernel support for ipv6 forwarding + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.default.forwarding" = 1; + }; + + networking.wireguard.interfaces.${wireguardInterface} = let + inherit (cfg.server) externalInterface; + in + { + inherit peers; + + # ip address of server + subnet of network + ips = [ + (wireguardIPv4 "1" "24") + (wireguardIPv6 "1" "112") + ]; + listenPort = wireguardPort; + + # route wireguard traffic to the internet + # also requires clients to have dns set. (i think) + # to avoid, maybe? use wg-quick + dnsmasq? + postSetup = '' + ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE + ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE + ''; + + postShutdown = '' + ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE + ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE + ''; + + privateKeyFile = config.age.secrets.wireguard-private-key.path; + }; + }; +} diff --git a/modules/wireguard.nix b/modules/wireguard.nix deleted file mode 100644 index 176213f..0000000 --- a/modules/wireguard.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (pkgs) iptables; - - wireguardPort = 51820; - wireguardIPv4 = number: subnet: "10.123.10.${number}/${subnet}"; - wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}"; - - wireguardInterface = "wg0"; - externalInterface = "enp1s0"; - - peerIPs = peerNumber: [ - (wireguardIPv4 peerNumber "32") - (wireguardIPv6 peerNumber "128") - ]; - peers = [ - # mel - { - publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; - allowedIPs = peerIPs "2"; - } - - # andrei - { - publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; - allowedIPs = peerIPs "3"; - } - ]; - -in -{ - age.secrets.wireguard-private-key = { - file = ../secrets/wireguard-private-key.age; - }; - - # enable nat, to rename internal wireguard ips to external ip (w/ iptables) - networking = { - nat = { - enable = true; - internalInterfaces = [ wireguardInterface ]; - inherit externalInterface; - }; - - firewall = { - allowedUDPPorts = [ wireguardPort ]; - }; - }; - - # enable kernel support for ipv6 forwarding - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = 1; - "net.ipv6.conf.default.forwarding" = 1; - }; - - networking.wireguard.interfaces.${wireguardInterface} = { - inherit peers; - - # ip address of server + subnet of network - ips = [ - (wireguardIPv4 "1" "24") - (wireguardIPv6 "1" "112") - ]; - listenPort = wireguardPort; - - # route wireguard traffic to the internet - # also requires clients to have dns set. (i think) - # to avoid, maybe? use wg-quick + dnsmasq? - postSetup = '' - ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - postShutdown = '' - ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - privateKeyFile = config.age.secrets.wireguard-private-key.path; - }; -} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5c7404a..30bb62d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,6 +8,7 @@ let taupe corsac fourmi + zibeline ; in { @@ -42,5 +43,6 @@ in "wireguard-private-key.age".publicKeys = [ taupe + zibeline ] ++ allAdmins; } diff --git a/secrets/wireguard-private-key.age b/secrets/wireguard-private-key.age index 9327fbd..367c66c 100644 --- a/secrets/wireguard-private-key.age +++ b/secrets/wireguard-private-key.age Binary files differ |