James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate from WG to TS/HS

Browse Source
This commit is contained in:
James Eversole
2025-04-21 15:47:20 -05:00
parent 041bba5aeb
commit 2034274ee0
9 changed files with 50 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nix/system/age.nix
View File

@ -22,7 +22,6 @@
"restic/env".file = ../../secrets/restic/env.age;
"restic/password".file = ../../secrets/restic/env.age;
"restic/repo".file = ../../secrets/restic/env.age;
"wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
};
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};

17
nix/system/network.nix
View File

@ -1,15 +1,16 @@
{ ... }: {
{ config, ... }: {
networking = {
hostName = "eve-psr-nix0";
firewall = {
allowedTCPPorts = [ 22 80 443 5000 23231 23232 23233 ];
allowedUDPPorts = [ 53 51820 ];
trustedInterfaces = [ "tun0" ];
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "tun0" "wg0" ];
allowedUDPPorts = [ 53 51820 config.services.tailscale.port ];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
'';
};
nat.enable = true;
};
}

33
nix/system/wireguard.nix
View File

@ -1,33 +0,0 @@
{ pkgs, config, lib, ...}: {
networking.wireguard.interfaces = {
wg0 = {
ips = [ "192.168.3.1/24" ];
listenPort = 51820;
privateKeyFile = "/run/agenix/wireguard/server-private";
peers = [
#
# James
#
{ # Primary Cell
publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
allowedIPs = [ "192.168.3.2/32" ];
}
#
# Caitlynn
#
{ # Primary Cell
publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
allowedIPs = [ "192.168.3.3/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
};
};
}