foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 16:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
6bf2642ffc
nixos-config/hosts/plover/modules/services/wireguard.nix
Gabriel Arazas 6bf2642ffc hosts: add Wireguard services to related peers 
Among other things, Plover now ignores certain IP for fail2ban. This is
for the VPN users that are placed in that range.
2023-01-17 21:34:54 +08:00

67 lines
2.0 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
# Take note this service is heavily based on the hardware networking setup of
# this host so better stay focused on the hardware configuration on this host.
let
acmeName = "wireguard.${config.networking.domain}";
networks = import ../hardware/networks.nix;
inherit (networks) privateNetworkGatewayIP wireguardIPv6BaseAddress wireguardPort;
wireguardIFName = "wireguard0";
wireguardAddresses = [
# Private IP address.
"172.45.1.1/32"
# Private IPv6 address. Just arbitrarily chosen.
"${wireguardIPv6BaseAddress}/48"
];
wireguardAllowedIPs = [ "172.45.1.2/24" "${wireguardIPv6BaseAddress}/48" ];
in
{
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.firewall.allowedUDPPorts = [ wireguardPort ];
systemd.network = {
netdevs."99-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."plover/wireguard/private-key".path;
ListenPort = wireguardPort;
};
wireguardPeers = [
# Desktop workstation.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
};
}
# Phone.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
};
}
];
};
networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName;
address = wireguardAddresses;
gateway = [ privateNetworkGatewayIP ];
};
};
}
Reference in New Issue View Git Blame Copy Permalink