diff options
Diffstat (limited to 'os/kay/modules/network')
| -rw-r--r-- | os/kay/modules/network/default.nix | 1 | ||||
| -rw-r--r-- | os/kay/modules/network/headscale.nix | 15 | ||||
| -rw-r--r-- | os/kay/modules/network/wireguard.nix | 71 |
3 files changed, 12 insertions, 75 deletions
diff --git a/os/kay/modules/network/default.nix b/os/kay/modules/network/default.nix index 56371c7..019ee24 100644 --- a/os/kay/modules/network/default.nix +++ b/os/kay/modules/network/default.nix @@ -12,7 +12,6 @@ in imports = [ ./router.nix ./hurricane.nix - ./wireguard.nix ./headscale.nix ]; diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix index 14fcee3..39007a4 100644 --- a/os/kay/modules/network/headscale.nix +++ b/os/kay/modules/network/headscale.nix @@ -54,6 +54,11 @@ let acls = [ { action = "accept"; + src = [ "*" ]; + dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ]; + } + { + action = "accept"; src = [ "headplane@" ]; dst = [ "*:*" ]; } @@ -63,17 +68,21 @@ let src = [ "group:owner" ]; dst = [ "*:*" ]; } + { + action = "accept"; + src = [ "nazer@" ]; + dst = [ "autogroup:internet:*" ]; + } { action = "accept"; src = [ "group:bud" ]; dst = [ "tag:bud_clients:*" ]; } - { action = "accept"; - src = [ "*" ]; - dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ]; + src = [ "tag:bud_clients" ]; + dst = [ "tag:bud_clients:80,443" ]; } ]; }; diff --git a/os/kay/modules/network/wireguard.nix b/os/kay/modules/network/wireguard.nix deleted file mode 100644 index fd00804..0000000 --- a/os/kay/modules/network/wireguard.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - wgInterface = "wg"; - wanInterface = "ppp0"; - port = 51820; - - wgConf = pkgs.writeText "wg.conf" '' - [interface] - Address = 10.0.1.1/24 - MTU = 1412 - ListenPort = 51820 - PostUp = ${ - lib.getExe ( - pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - } - ) - } - - [Peer] - # friendly_name = cez - PublicKey = IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8= - AllowedIPs = 10.0.1.2/32 - - [Peer] - # friendly_name = exy - PublicKey = bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8= - AllowedIPs = 10.0.1.3/32 - - [Peer] - # friendly_name = dad - PublicKey = q70IyOS2IpubIRWqo5sL3SeEjtUy2V/PT8yqVExiHTQ= - AllowedIPs = 10.0.1.4/32 - ''; -in -{ - sops.secrets."misc/wireguard" = { }; - - networking = { - nat = { - enable = true; - externalInterface = wanInterface; - internalInterfaces = [ wgInterface ]; - }; - - firewall.allowedUDPPorts = [ port ]; - wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf; - }; - - services.dnsmasq.settings = { - no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; - }; - - services.prometheus.exporters.wireguard = { - enable = true; - withRemoteIp = true; - wireguardConfig = builtins.toString wgConf; - singleSubnetPerField = true; - listenAddress = "127.0.0.1"; - }; -} |