summaryrefslogtreecommitdiff
path: root/hosts/kay/modules
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/kay/modules')
-rw-r--r--hosts/kay/modules/network.nix5
-rw-r--r--hosts/kay/modules/router.nix2
-rw-r--r--hosts/kay/modules/wireguard.nix54
3 files changed, 59 insertions, 2 deletions
diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix
index 9ef8ee6..12788c6 100644
--- a/hosts/kay/modules/network.nix
+++ b/hosts/kay/modules/network.nix
@@ -7,7 +7,10 @@ let
nameServer = "1.0.0.1";
in
{
- imports = [ ./router.nix ];
+ imports = [
+ ./wireguard.nix
+ ./router.nix
+ ];
sops.secrets = {
"ppp/chap-secrets" = {};
diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
index c33fff2..e390ded 100644
--- a/hosts/kay/modules/router.nix
+++ b/hosts/kay/modules/router.nix
@@ -37,6 +37,6 @@ in
services.dnsmasq.settings = {
dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
- interface = lanInterface;
+ interface = [ lanInterface ];
};
}
diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix
new file mode 100644
index 0000000..4839280
--- /dev/null
+++ b/hosts/kay/modules/wireguard.nix
@@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+ wgInterface = "wg";
+ wanInterface = "ppp0";
+ subnet = "10.0.1.0";
+ prefix = 24;
+ port = 51820;
+in
+{
+ sops.secrets."misc/wireguard" = {};
+
+ networking = {
+ nat.enable = true;
+ firewall = {
+ allowedUDPPorts = [ port ];
+ extraCommands = ''
+ # nat datagrams comming through lanInterface to wanInterface
+ iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
+
+ # allow all traffic on lanInterface interface
+ iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT
+
+ # forward rules
+ iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT
+ '';
+ };
+
+ wireguard.interfaces.${wgInterface} = {
+ ips = [ "10.0.1.1/${toString prefix}" ];
+ listenPort = port;
+ mtu = 1380; # 1460 (ppp0) - 80
+ privateKeyFile = config.sops.secrets."misc/wireguard".path;
+
+ peers = [
+ { # cez
+ publicKey = "IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8=";
+ allowedIPs = [ "10.0.1.2/32" ];
+ }
+ { # veu
+ publicKey = "bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8=";
+ allowedIPs = [ "10.0.1.3/32" ];
+ }
+ ];
+ };
+ };
+
+ services.dnsmasq.settings = {
+ no-dhcp-interface = wgInterface;
+ interface = [ wgInterface ];
+ };
+}