From 02a4d33e79aa2784e2be0049176bba9abd69d4f5 Mon Sep 17 00:00:00 2001 From: Asmir A Date: Thu, 4 Apr 2024 21:58:53 +0200 Subject: [PATCH] magpie/wireguard: add server --- magpie/configuration.nix | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/magpie/configuration.nix b/magpie/configuration.nix index ca0c1fc..bcb1fb2 100644 --- a/magpie/configuration.nix +++ b/magpie/configuration.nix @@ -264,15 +264,50 @@ owner = config.users.users.nextcloud.name; }; + sops.secrets."wg_privkey" = { + sopsFile = ./secrets/wg_privkey.yaml; + }; + + networking.hostName = "magpie"; + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [80 443 587]; - networking.firewall.allowedUDPPorts = [443]; + networking.firewall.allowedUDPPorts = [443 51820]; networking.firewall.allowPing = true; networking.firewall.logRefusedConnections = lib.mkDefault false; - networking.hostName = "magpie"; + + networking.nat.enable = true; + networking.nat.externalInterface = "enp1s0"; + networking.nat.internalInterfaces = ["wg0"]; + networking.networkmanager.enable = true; networking.wireless.enable = false; + networking.wireguard.interfaces = { + wg0 = { + ips = ["10.100.0.1/24"]; + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + privateKeyFile = config.sops.secrets."wg_privkey".path; + + peers = [ + { + publicKey = builtins.readFile ../nixy/wg_pubkey; + allowedIPs = ["10.100.0.6/32"]; + } + ]; + }; + }; + systemd = { enableEmergencyMode = false;