deploy wireguard
This commit is contained in:
parent
a47d096503
commit
30386c3afe
14 changed files with 201 additions and 352 deletions
|
|
@ -97,15 +97,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
launchd.agents.tailscale = {
|
||||
enable = true;
|
||||
config = {
|
||||
ProgramArguments = [ "/Applications/Tailscale.app/Contents/MacOS/Tailscale" ];
|
||||
RunAtLoad = true;
|
||||
KeepAlive = false;
|
||||
};
|
||||
};
|
||||
|
||||
home.activation.setFileAssociations = config.lib.dag.entryAfter ["writeBoundary"] ''
|
||||
run ${pkgs.duti}/bin/duti -s com.apple.TextEdit .txt all
|
||||
run ${pkgs.duti}/bin/duti -s com.apple.TextEdit .md all
|
||||
|
|
|
|||
|
|
@ -160,7 +160,6 @@
|
|||
"clash-verge-rev"
|
||||
"firefox"
|
||||
"keepassxc"
|
||||
"tailscale-app"
|
||||
"calibre"
|
||||
"iina"
|
||||
"musicbrainz-picard"
|
||||
|
|
|
|||
|
|
@ -1,67 +0,0 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
# Traefik dynamic configuration for vps host
|
||||
services.traefik.dynamic.files."proxy".settings = {
|
||||
http = {
|
||||
serversTransports = {
|
||||
longTimeout = {
|
||||
forwardingTimeouts = {
|
||||
dialTimeout = "30s";
|
||||
responseHeaderTimeout = "1200s";
|
||||
idleConnTimeout = "1200s";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
routers = {
|
||||
|
||||
deluge = {
|
||||
rule = "Host(`deluge.home.yanlincs.com`)";
|
||||
service = "deluge";
|
||||
tls = {
|
||||
certResolver = "cloudflare";
|
||||
domains = [{
|
||||
main = "*.home.yanlincs.com";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
photo = {
|
||||
rule = "Host(`photo.home.yanlincs.com`)";
|
||||
service = "photo";
|
||||
tls = {
|
||||
certResolver = "cloudflare";
|
||||
domains = [{
|
||||
main = "*.home.yanlincs.com";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services = {
|
||||
|
||||
deluge = {
|
||||
loadBalancer = {
|
||||
servers = [{
|
||||
url = "http://127.0.0.1:8112";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
photo = {
|
||||
loadBalancer = {
|
||||
serversTransport = "longTimeout";
|
||||
servers = [{
|
||||
url = "http://127.0.0.1:8080";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
@ -4,11 +4,9 @@
|
|||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./containers.nix
|
||||
./proxy.nix
|
||||
../system-default.nix
|
||||
../../../modules/vpn/tailscale.nix
|
||||
../../../modules/vpn/client.nix
|
||||
../../../modules/podman.nix
|
||||
../../../modules/traefik.nix
|
||||
../../../modules/borg/client.nix
|
||||
../../../modules/media/server.nix
|
||||
../../../modules/file-server/samba.nix
|
||||
|
|
@ -132,9 +130,11 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.tailscale-custom = {
|
||||
exitNode = true;
|
||||
subnetRoutes = [ "10.1.1.0/24" ];
|
||||
services.wireguard-client = {
|
||||
enable = true;
|
||||
address = "10.2.2.10/24";
|
||||
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
|
||||
serverEndpoint = "91.98.84.215:51820";
|
||||
};
|
||||
|
||||
# Media server services
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@
|
|||
./hardware-configuration.nix
|
||||
./containers.nix
|
||||
../system-default.nix
|
||||
../../../modules/vpn/client.nix
|
||||
../../../modules/podman.nix
|
||||
../../../modules/vpn/tailscale.nix
|
||||
../../../modules/borg/client.nix
|
||||
];
|
||||
|
||||
|
|
@ -150,7 +150,7 @@
|
|||
# Host-specific user configuration
|
||||
users.users.yanlin = {
|
||||
extraGroups = [ "networkmanager" "wheel" "video" "audio" "input" ];
|
||||
hashedPassword = "$6$kSyaRzAtj8VPcNeX$NsEP6zQAfp6O8YWcolfPRKnhIcJlKu5luZgWqozJAHtbE/gv90KoOOKU7Dt.FnbPB0Ej26jXoBH4X.7y/OLGB1";
|
||||
hashedPassword = "$6$4tNeZ9/B3SSapStU$vX1pco.IuMMu/AcLeGvZoOGxSNNlorVdnRGSVFIWou5ybcpwxrJHAFqvKpJiObejHe2sy7CnJ8fiMACaTwDN5/";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp2goZiuSfwMA02GsHhYzUZHrQPPBgP5sWSNP9kQR3e yanlin@imac"
|
||||
];
|
||||
|
|
@ -188,7 +188,12 @@
|
|||
|
||||
services.acpid.enable = true;
|
||||
|
||||
services.tailscale-custom.exitNode = true;
|
||||
services.wireguard-client = {
|
||||
enable = true;
|
||||
address = "10.2.2.20/24";
|
||||
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
|
||||
serverEndpoint = "91.98.84.215:51820";
|
||||
};
|
||||
|
||||
services.borg-client-custom = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -38,6 +38,17 @@
|
|||
};
|
||||
};
|
||||
|
||||
deluge = {
|
||||
rule = "Host(`deluge.yanlincs.com`)";
|
||||
service = "deluge";
|
||||
tls = {
|
||||
certResolver = "cloudflare";
|
||||
domains = [{
|
||||
main = "*.yanlincs.com";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
git = {
|
||||
rule = "Host(`git.yanlincs.com`)";
|
||||
service = "git";
|
||||
|
|
@ -57,7 +68,7 @@
|
|||
loadBalancer = {
|
||||
serversTransport = "longTimeout";
|
||||
servers = [{
|
||||
url = "http://10.1.1.152:8080";
|
||||
url = "http://10.2.2.10:8080";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
|
@ -65,7 +76,15 @@
|
|||
music = {
|
||||
loadBalancer = {
|
||||
servers = [{
|
||||
url = "http://10.1.1.152:4533";
|
||||
url = "http://10.2.2.10:4533";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
deluge = {
|
||||
loadBalancer = {
|
||||
servers = [{
|
||||
url = "http://10.2.2.10:8112";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
./containers.nix
|
||||
./proxy.nix
|
||||
../system-default.nix
|
||||
../../../modules/vpn/tailscale.nix
|
||||
../../../modules/vpn/server.nix
|
||||
../../../modules/podman.nix
|
||||
../../../modules/traefik.nix
|
||||
../../../modules/borg/client.nix
|
||||
|
|
@ -44,7 +44,6 @@
|
|||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 80 443 27017 ];
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -71,7 +70,20 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.tailscale-custom.exitNode = true;
|
||||
services.wireguard-server = {
|
||||
enable = true;
|
||||
address = "10.2.2.1/24";
|
||||
peers = [
|
||||
{
|
||||
publicKey = "MCuSF/aFZy7Jq3nI6VpU7jbfZOuEGuMjgpxRWazxtmY=";
|
||||
allowedIPs = [ "10.2.2.10/32" ];
|
||||
}
|
||||
{
|
||||
publicKey = "xqsOWaCaEK1ehC+66deEQxAN92AYPyL9IrIeM4ujIRM=";
|
||||
allowedIPs = [ "10.2.2.20/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.git-server-custom = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@ in
|
|||
};
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
actions.ENABLED = true;
|
||||
repository.DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
{
|
||||
config = {
|
||||
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
|
||||
|
||||
virtualisation = {
|
||||
podman = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -37,12 +37,13 @@ in
|
|||
};
|
||||
|
||||
"thinkpad" = {
|
||||
hostname = "100.116.49.65";
|
||||
hostname = "10.2.2.20";
|
||||
user = "yanlin";
|
||||
identityFile = "${keyDir}/thinkpad";
|
||||
setEnv = {
|
||||
TERM = "xterm-256color";
|
||||
};
|
||||
proxyJump = "vps";
|
||||
};
|
||||
|
||||
"vps" = {
|
||||
|
|
@ -70,13 +71,14 @@ in
|
|||
identityFile = "${keyDir}/hetzner";
|
||||
};
|
||||
|
||||
"rpi" = {
|
||||
hostname = "100.117.162.102";
|
||||
"nfss" = {
|
||||
hostname = "10.2.2.10";
|
||||
user = "yanlin";
|
||||
identityFile = "${keyDir}/rpi";
|
||||
identityFile = "${keyDir}/nas";
|
||||
proxyJump = "vps";
|
||||
};
|
||||
|
||||
"nfss" = {
|
||||
"nfss.lan" = {
|
||||
hostname = "10.1.1.152";
|
||||
user = "yanlin";
|
||||
identityFile = "${keyDir}/nas";
|
||||
|
|
|
|||
71
modules/vpn/client.nix
Normal file
71
modules/vpn/client.nix
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
# NOTE: After deploy, get public key with: `sudo sh -c 'wg pubkey < /etc/wireguard/private.key'`
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.wireguard-client;
|
||||
in
|
||||
|
||||
{
|
||||
options.services.wireguard-client = {
|
||||
enable = mkEnableOption "WireGuard VPN client";
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
example = "10.2.2.2/24";
|
||||
};
|
||||
|
||||
serverPublicKey = mkOption { type = types.str; };
|
||||
|
||||
serverEndpoint = mkOption {
|
||||
type = types.str;
|
||||
example = "vpn.example.com:51820";
|
||||
};
|
||||
|
||||
allowedIPs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "10.2.2.0/24" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.wireguard-tools ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /etc/wireguard 0700 root root - -"
|
||||
"f /etc/wireguard/private.key 0600 root root - -"
|
||||
];
|
||||
|
||||
systemd.services.wireguard-keygen = {
|
||||
description = "Generate WireGuard private key";
|
||||
before = [ "wg-quick-wg0.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
if [ ! -s /etc/wireguard/private.key ]; then
|
||||
${pkgs.wireguard-tools}/bin/wg genkey > /etc/wireguard/private.key
|
||||
chmod 600 /etc/wireguard/private.key
|
||||
echo "Public key: $(${pkgs.wireguard-tools}/bin/wg pubkey < /etc/wireguard/private.key)"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
networking.wg-quick.interfaces.wg0 = {
|
||||
privateKeyFile = "/etc/wireguard/private.key";
|
||||
address = [ cfg.address ];
|
||||
peers = [{
|
||||
publicKey = cfg.serverPublicKey;
|
||||
allowedIPs = cfg.allowedIPs;
|
||||
endpoint = cfg.serverEndpoint;
|
||||
persistentKeepalive = 25;
|
||||
}];
|
||||
};
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||
};
|
||||
}
|
||||
70
modules/vpn/server.nix
Normal file
70
modules/vpn/server.nix
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
# NOTE: After deploy, get public key with: `sudo sh -c 'wg pubkey < /etc/wireguard/private.key'`
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.wireguard-server;
|
||||
in
|
||||
|
||||
{
|
||||
options.services.wireguard-server = {
|
||||
enable = mkEnableOption "WireGuard VPN server";
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
example = "10.2.2.1/24";
|
||||
};
|
||||
|
||||
peers = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
publicKey = mkOption { type = types.str; };
|
||||
allowedIPs = mkOption { type = types.listOf types.str; };
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.wireguard-tools ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /etc/wireguard 0700 root root - -"
|
||||
"f /etc/wireguard/private.key 0600 root root - -"
|
||||
];
|
||||
|
||||
systemd.services.wireguard-keygen = {
|
||||
description = "Generate WireGuard private key";
|
||||
before = [ "wg-quick-wg0.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
if [ ! -s /etc/wireguard/private.key ]; then
|
||||
${pkgs.wireguard-tools}/bin/wg genkey > /etc/wireguard/private.key
|
||||
chmod 600 /etc/wireguard/private.key
|
||||
echo "Public key: $(${pkgs.wireguard-tools}/bin/wg pubkey < /etc/wireguard/private.key)"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
networking.wg-quick.interfaces.wg0 = {
|
||||
privateKeyFile = "/etc/wireguard/private.key";
|
||||
address = [ cfg.address ];
|
||||
listenPort = 51820;
|
||||
peers = map (peer: {
|
||||
inherit (peer) publicKey allowedIPs;
|
||||
}) cfg.peers;
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ 51820 ];
|
||||
trustedInterfaces = [ "wg0" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
# NOTE: Auth key file at: `/etc/tailscale/authkey` with mode 600
|
||||
# content: `tailscale-api-key`
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.tailscale-custom;
|
||||
isRouter = cfg.exitNode || cfg.subnetRoutes != [];
|
||||
in
|
||||
|
||||
{
|
||||
options.services.tailscale-custom = {
|
||||
exitNode = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Advertise this node as an exit node";
|
||||
};
|
||||
|
||||
subnetRoutes = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "10.1.1.0/24" "192.168.1.0/24" ];
|
||||
description = "Subnets to advertise to the Tailscale network";
|
||||
};
|
||||
|
||||
acceptRoutes = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Accept subnet routes advertised by other nodes";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = "/etc/tailscale/authkey";
|
||||
useRoutingFeatures = if isRouter then "server" else "client";
|
||||
extraUpFlags =
|
||||
optional cfg.exitNode "--advertise-exit-node"
|
||||
++ optional (cfg.subnetRoutes != []) "--advertise-routes=${concatStringsSep "," cfg.subnetRoutes}"
|
||||
++ optional cfg.acceptRoutes "--accept-routes";
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = mkIf isRouter {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
};
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
||||
};
|
||||
}
|
||||
|
|
@ -1,203 +0,0 @@
|
|||
# NOTE: Private key file at: `/etc/wireguard/private.key` with mode 600
|
||||
# Generate with: `wg genkey > /etc/wireguard/private.key`
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.wireguard-custom;
|
||||
in
|
||||
|
||||
{
|
||||
options.services.wireguard-custom = {
|
||||
enable = mkEnableOption "WireGuard VPN";
|
||||
|
||||
mode = mkOption {
|
||||
type = types.enum [ "server" "client" ];
|
||||
description = "Whether to run as server (hub) or client (spoke)";
|
||||
};
|
||||
|
||||
interface = mkOption {
|
||||
type = types.str;
|
||||
default = "wg0";
|
||||
description = "WireGuard interface name";
|
||||
};
|
||||
|
||||
listenPort = mkOption {
|
||||
type = types.port;
|
||||
default = 51820;
|
||||
description = "UDP port to listen on (server mode only)";
|
||||
};
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
type = types.str;
|
||||
default = "/etc/wireguard/private.key";
|
||||
description = "Path to private key file";
|
||||
};
|
||||
|
||||
serverConfig = mkOption {
|
||||
type = types.submodule {
|
||||
options = {
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
example = "10.2.2.1/24";
|
||||
description = "Server IP address with CIDR";
|
||||
};
|
||||
|
||||
peers = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
description = "Peer name for identification";
|
||||
};
|
||||
|
||||
publicKey = mkOption {
|
||||
type = types.str;
|
||||
description = "Peer's public key";
|
||||
};
|
||||
|
||||
allowedIPs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "IP addresses this peer is allowed to use";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
description = "List of client peers";
|
||||
};
|
||||
};
|
||||
};
|
||||
description = "Server-specific configuration";
|
||||
};
|
||||
|
||||
clientConfig = mkOption {
|
||||
type = types.submodule {
|
||||
options = {
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
example = "10.2.2.20/24";
|
||||
description = "Client IP address with CIDR";
|
||||
};
|
||||
|
||||
serverPublicKey = mkOption {
|
||||
type = types.str;
|
||||
description = "Server's public key";
|
||||
};
|
||||
|
||||
serverEndpoint = mkOption {
|
||||
type = types.str;
|
||||
example = "vpn.example.com:51820";
|
||||
description = "Server endpoint (host:port)";
|
||||
};
|
||||
|
||||
allowedIPs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "10.2.2.0/24" ];
|
||||
description = "IP ranges to route through the tunnel";
|
||||
};
|
||||
};
|
||||
};
|
||||
description = "Client-specific configuration";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Install WireGuard tools
|
||||
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
||||
|
||||
# Create private key file if it doesn't exist
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /etc/wireguard 0700 root root - -"
|
||||
"f ${cfg.privateKeyFile} 0600 root root - -"
|
||||
];
|
||||
|
||||
# Generate private key on first run
|
||||
systemd.services.wireguard-keygen = {
|
||||
description = "Generate WireGuard private key";
|
||||
before = [ "wg-quick-${cfg.interface}.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
if [ ! -s ${cfg.privateKeyFile} ]; then
|
||||
echo "Generating WireGuard private key..."
|
||||
${pkgs.wireguard-tools}/bin/wg genkey > ${cfg.privateKeyFile}
|
||||
chmod 600 ${cfg.privateKeyFile}
|
||||
echo "Private key generated. Public key:"
|
||||
${pkgs.wireguard-tools}/bin/wg pubkey < ${cfg.privateKeyFile}
|
||||
echo "Please add this public key to your peer configurations."
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
# WireGuard interface configuration (combined server and client)
|
||||
networking.wg-quick.interfaces = {
|
||||
${cfg.interface} = mkMerge [
|
||||
# Common configuration
|
||||
{
|
||||
privateKeyFile = cfg.privateKeyFile;
|
||||
}
|
||||
|
||||
# Server-specific configuration
|
||||
(mkIf (cfg.mode == "server") {
|
||||
address = [ cfg.serverConfig.address ];
|
||||
listenPort = cfg.listenPort;
|
||||
|
||||
# Enable IP forwarding and NAT for server
|
||||
preUp = ''
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
|
||||
postDown = ''
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
|
||||
peers = map (peer: {
|
||||
publicKey = peer.publicKey;
|
||||
allowedIPs = peer.allowedIPs;
|
||||
}) cfg.serverConfig.peers;
|
||||
})
|
||||
|
||||
# Client-specific configuration
|
||||
(mkIf (cfg.mode == "client") {
|
||||
address = [ cfg.clientConfig.address ];
|
||||
|
||||
peers = [{
|
||||
publicKey = cfg.clientConfig.serverPublicKey;
|
||||
allowedIPs = cfg.clientConfig.allowedIPs;
|
||||
endpoint = cfg.clientConfig.serverEndpoint;
|
||||
persistentKeepalive = 25;
|
||||
}];
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
# Firewall configuration
|
||||
networking.firewall = mkMerge [
|
||||
# Server firewall rules
|
||||
(mkIf (cfg.mode == "server") {
|
||||
allowedUDPPorts = [ cfg.listenPort ];
|
||||
trustedInterfaces = [ cfg.interface ];
|
||||
})
|
||||
|
||||
# Client firewall rules
|
||||
(mkIf (cfg.mode == "client") {
|
||||
trustedInterfaces = [ cfg.interface ];
|
||||
})
|
||||
];
|
||||
|
||||
# Enable IP forwarding for server
|
||||
boot.kernel.sysctl = mkIf (cfg.mode == "server") {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue