Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

changed a whole lot to comform to the article + dnsmasq is now not extraConfig but settings

Browse source
This commit is contained in:
Lillian Violet 2024-12-06 22:40:12 +01:00
parent 30a16e746e
commit 47dc699ed1
4 changed files with 57 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
nixos/hosts/EDI/configuration.nix
View file

@ -53,14 +53,16 @@
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
autostart = true; autostart = true;
dns = ["1.1.1.1"]; address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"];
address = ["10.5.5.3/32"]; dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path; privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [ peers = [
{ {
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821"; endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::0/0"]; allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
} }
]; ];
}; };

8
nixos/hosts/GLaDOS/configuration.nix
View file

@ -95,14 +95,16 @@
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
autostart = true; autostart = true;
dns = ["1.1.1.1"]; address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
address = ["10.5.5.2/32"]; dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path; privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [ peers = [
{ {
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821"; endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0"]; allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
} }
]; ];
}; };

8
nixos/hosts/shodan/configuration.nix
View file

@ -222,14 +222,16 @@
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
autostart = true; autostart = true;
dns = ["1.1.1.1"]; address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
address = ["10.5.5.4/32"]; dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path; privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [ peers = [
{ {
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821"; endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::0/0"]; allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
} }
]; ];
}; };

54
nixos/hosts/wheatley/configuration.nix
View file

@ -175,41 +175,67 @@
]; ];
}; };
wg1 = { wg1 = {
autostart = true; # Determines the IP address and subnet of the server's end of the tunnel interface.
address = ["10.5.5.1/24"]; address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51821; listenPort = 51821;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
# Undo the above
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wg-private-key".path; privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [ peers = [
{ {
#GLaDOS public key #GLaDOS public key
publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38=";
allowedIPs = ["10.5.5.2/32"]; allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
} }
{ {
#EDI public key #EDI public key
publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704=";
allowedIPs = ["10.5.5.3/32"]; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
} }
{ {
#Shodan public key #Shodan public key
publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw=";
allowedIPs = ["10.5.5.4/32"]; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
} }
{ {
#ADA public key #ADA public key
publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo=";
allowedIPs = ["10.5.5.5/32"]; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
} }
]; ];
}; };
}; };
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; services.dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
networking.firewall.extraCommands = '' # enable NAT
iptables -t nat -A POSTROUTING -s 10.5.5.1/24 ! -d 10.5.5.1/24 -j MASQUERADE networking.nat.enable = true;
''; networking.nat.externalInterface = "end0";
networking.nat.internalInterfaces = ["wg1"];
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowPing = false; allowPing = false;
@ -219,13 +245,17 @@
5350 # STUN tls alt 5350 # STUN tls alt
80 # http 80 # http
443 # https 443 # https
51821 51821 # wg
7878 7878
53 # dnsmasq
];
allowedUDPPorts = [
53 #dnsmasq
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ {
from = 51820; from = 51820;
to = 51822; to = 51822; # wg
} }
{ {
from = 49152; from = 49152;