diff options
Diffstat (limited to 'hosts/kay/modules')
| -rw-r--r-- | hosts/kay/modules/network.nix | 5 | ||||
| -rw-r--r-- | hosts/kay/modules/router.nix | 2 | ||||
| -rw-r--r-- | hosts/kay/modules/wireguard.nix | 54 | 
3 files changed, 59 insertions, 2 deletions
| diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix index 9ef8ee6..12788c6 100644 --- a/hosts/kay/modules/network.nix +++ b/hosts/kay/modules/network.nix @@ -7,7 +7,10 @@ let    nameServer = "1.0.0.1";  in  { -  imports = [ ./router.nix ]; +  imports = [ +    ./wireguard.nix +    ./router.nix +  ];    sops.secrets = {      "ppp/chap-secrets" = {}; diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix index c33fff2..e390ded 100644 --- a/hosts/kay/modules/router.nix +++ b/hosts/kay/modules/router.nix @@ -37,6 +37,6 @@ in    services.dnsmasq.settings = {      dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; -    interface = lanInterface; +    interface = [ lanInterface ];    };  } diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix new file mode 100644 index 0000000..4839280 --- /dev/null +++ b/hosts/kay/modules/wireguard.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let +  wgInterface = "wg"; +  wanInterface = "ppp0"; +  subnet = "10.0.1.0"; +  prefix = 24; +  port = 51820; +in +{ +  sops.secrets."misc/wireguard" = {}; + +  networking = { +    nat.enable = true; +    firewall = { +      allowedUDPPorts = [ port ]; +      extraCommands = '' +        # nat datagrams comming through lanInterface to wanInterface +        iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE + +        # allow all traffic on lanInterface interface +        iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT + +        # forward rules +        iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT +        iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT +        iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT +      ''; +    }; + +    wireguard.interfaces.${wgInterface} = { +      ips = [ "10.0.1.1/${toString prefix}" ]; +      listenPort = port; +      mtu = 1380; # 1460 (ppp0) - 80 +      privateKeyFile = config.sops.secrets."misc/wireguard".path; + +      peers = [ +        { # cez +          publicKey = "IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8="; +          allowedIPs = [ "10.0.1.2/32" ]; +        } +        { # veu +          publicKey = "bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8="; +          allowedIPs = [ "10.0.1.3/32" ]; +        } +      ]; +    }; +  }; + +  services.dnsmasq.settings = { +    no-dhcp-interface = wgInterface; +    interface = [ wgInterface  ]; +  }; +} | 
