erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Implement WireGuard connection with systemd, as recommended

Browse source
This commit is contained in:
Erwin Boskma 2023-01-23 16:32:46 +01:00
parent ad1ab5e1a0
commit 1307724f3a
Signed by: erwin
SSH key fingerprint: SHA256:CyeNoWXd3kjX2Nwu6pDxxdS7OqmPVOy0NavA/KU/ntU
1 changed files with 85 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
machines/loki/configuration.nix
View file

@ -49,13 +49,9 @@
sway = true;
hyprland = true;
};
# home-manager = {
# inherit (users) users;
# enable = true;
# };
libvirtd.enable = true;
livebook = {
enable = true;
enable = false;
dataDir = "/home/erwin/workspace/livebook";
userMapping = "1000:100";
};
@ -93,7 +89,6 @@
firewall = {
trustedInterfaces = [ "lo" ];
# interfaces."enp4s0" = {
allowedTCPPorts = [
# NFS
111
@ -137,49 +132,21 @@
# Sunshine
{ from = 47998; to = 48000; }
];
# };
};
wg-quick.interfaces = {
wghorus = {
address = [ "10.10.4.2/24" ];
autostart = false;
dns = [ "192.168.4.1" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
postUp = ''
${pkgs.systemd}/bin/resolvectl domain wghorus bedum.horus.nu internal.horus.nu
'';
postDown = ''
${pkgs.systemd}/bin/resolvectl domain wghorus ""
'';
peers = [
{
publicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c=";
allowedIPs = [ "192.168.4.0/23" "192.168.6.0/24" "192.168.7.0/24" "192.168.8.0/24" ];
endpoint = "212.45.34.195:51820";
persistentKeepalive = 25;
}
];
};
};
# wireguard.interfaces = {
# wg-quick.interfaces = {
# wghorus = {
# ips = [ "10.10.4.2/24" ];
# address = [ "10.10.4.2/24" ];
# autostart = false;
# dns = [ "192.168.4.1" ];
# listenPort = 51820;
# privateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
# postSetup = ''
# ${pkgs.systemd}/bin/resolvectl dns wghorus 192.168.4.1
# postUp = ''
# ${pkgs.systemd}/bin/resolvectl domain wghorus bedum.horus.nu internal.horus.nu
# '';
# postShutdown = ''
# ${pkgs.systemd}/bin/resolvectl dns wghorus ""
# postDown = ''
# ${pkgs.systemd}/bin/resolvectl domain wghorus ""
# '';
@ -198,10 +165,85 @@
systemd.network = {
enable = true;
netdevs = {
"10-wghorus" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1420";
Name = "wghorus";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
ListenPort = 51820;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c=";
AllowedIPs = [ "192.168.4.0/23" "192.168.6.0/24" "192.168.7.0/24" "192.168.8.0/24" ];
Endpoint = "212.45.34.195:51820";
PersistentKeepalive = 25;
};
}
];
};
};
networks = {
"40-enp4s0" = {
DHCP = "yes";
};
"40-wghorus" = {
matchConfig = {
Name = "wghorus";
};
linkConfig = {
ActivationPolicy = "manual";
};
networkConfig = {
DHCP = "no";
DNS = "192.168.4.1";
Domains = [ "bedum.horus.nu" "internal.horus.nu" ];
};
address = [
"10.10.4.2/24"
];
routes = [
{
routeConfig =
{
Destination = "192.168.4.0/23";
Scope = "link";
};
}
{
routeConfig = {
Destination = "192.168.6.0/24";
Scope = "link";
};
}
{
routeConfig =
{
Destination = "192.168.7.0/24";
Scope = "link";
};
}
{
routeConfig =
{
Destination = "192.168.8.0/24";
Scope = "link";
};
}
];
};
};
links = {
@ -215,12 +257,6 @@
};
};
};
# nix = {
# package = pkgs.nixUnstable;
# extraOptions = ''
# experimental-features = nix-command flakes
# '';
# };
services.openssh.enable = true;
programs.ssh.startAgent = true;
@ -266,7 +302,9 @@
livebook-password = {
owner = "erwin";
};
wireguard-horus-privkey = { };
wireguard-horus-privkey = {
owner = "systemd-network";
};
};
# This value determines the NixOS release from which the default