yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deploy wireguard

Browse source
This commit is contained in:
Yan Lin 2026-02-19 10:01:36 +01:00
parent a47d096503
commit 30386c3afe
14 changed files with 201 additions and 352 deletions
Download patch file Download diff file Expand all files Collapse all files

9
hosts/darwin/home-default.nix
View file

@ -97,15 +97,6 @@
};
};
launchd.agents.tailscale = {
enable = true;
config = {
ProgramArguments = [ "/Applications/Tailscale.app/Contents/MacOS/Tailscale" ];
RunAtLoad = true;
KeepAlive = false;
};
};
home.activation.setFileAssociations = config.lib.dag.entryAfter ["writeBoundary"] ''
run ${pkgs.duti}/bin/duti -s com.apple.TextEdit .txt all
run ${pkgs.duti}/bin/duti -s com.apple.TextEdit .md all

1
hosts/darwin/system-default.nix
View file

@ -160,7 +160,6 @@
"clash-verge-rev"
"firefox"
"keepassxc"
"tailscale-app"
"calibre"
"iina"
"musicbrainz-picard"

67
hosts/nixos/nfss/proxy.nix
View file

@ -1,67 +0,0 @@
{ config, ... }:
{
# Traefik dynamic configuration for vps host
services.traefik.dynamic.files."proxy".settings = {
http = {
serversTransports = {
longTimeout = {
forwardingTimeouts = {
dialTimeout = "30s";
responseHeaderTimeout = "1200s";
idleConnTimeout = "1200s";
};
};
};
routers = {
deluge = {
rule = "Host(`deluge.home.yanlincs.com`)";
service = "deluge";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.home.yanlincs.com";
}];
};
};
photo = {
rule = "Host(`photo.home.yanlincs.com`)";
service = "photo";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.home.yanlincs.com";
}];
};
};
};
services = {
deluge = {
loadBalancer = {
servers = [{
url = "http://127.0.0.1:8112";
}];
};
};
photo = {
loadBalancer = {
serversTransport = "longTimeout";
servers = [{
url = "http://127.0.0.1:8080";
}];
};
};
};
};
};
}

12
hosts/nixos/nfss/system.nix
View file

@ -4,11 +4,9 @@
imports = [
./hardware-configuration.nix
./containers.nix
./proxy.nix
../system-default.nix
../../../modules/vpn/tailscale.nix
../../../modules/vpn/client.nix
../../../modules/podman.nix
../../../modules/traefik.nix
../../../modules/borg/client.nix
../../../modules/media/server.nix
../../../modules/file-server/samba.nix
@ -132,9 +130,11 @@
};
};
services.tailscale-custom = {
exitNode = true;
subnetRoutes = [ "10.1.1.0/24" ];
services.wireguard-client = {
enable = true;
address = "10.2.2.10/24";
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
serverEndpoint = "91.98.84.215:51820";
};
# Media server services

11
hosts/nixos/thinkpad/system.nix
View file

@ -5,8 +5,8 @@
./hardware-configuration.nix
./containers.nix
../system-default.nix
../../../modules/vpn/client.nix
../../../modules/podman.nix
../../../modules/vpn/tailscale.nix
../../../modules/borg/client.nix
];
@ -150,7 +150,7 @@
# Host-specific user configuration
users.users.yanlin = {
extraGroups = [ "networkmanager" "wheel" "video" "audio" "input" ];
hashedPassword = "$6$kSyaRzAtj8VPcNeX$NsEP6zQAfp6O8YWcolfPRKnhIcJlKu5luZgWqozJAHtbE/gv90KoOOKU7Dt.FnbPB0Ej26jXoBH4X.7y/OLGB1";
hashedPassword = "$6$4tNeZ9/B3SSapStU$vX1pco.IuMMu/AcLeGvZoOGxSNNlorVdnRGSVFIWou5ybcpwxrJHAFqvKpJiObejHe2sy7CnJ8fiMACaTwDN5/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp2goZiuSfwMA02GsHhYzUZHrQPPBgP5sWSNP9kQR3e yanlin@imac"
];
@ -188,7 +188,12 @@
services.acpid.enable = true;
services.tailscale-custom.exitNode = true;
services.wireguard-client = {
enable = true;
address = "10.2.2.20/24";
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
serverEndpoint = "91.98.84.215:51820";
};
services.borg-client-custom = {
enable = true;

23
hosts/nixos/vps/proxy.nix
View file

@ -38,6 +38,17 @@
};
};
deluge = {
rule = "Host(`deluge.yanlincs.com`)";
service = "deluge";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.yanlincs.com";
}];
};
};
git = {
rule = "Host(`git.yanlincs.com`)";
service = "git";
@ -57,7 +68,7 @@
loadBalancer = {
serversTransport = "longTimeout";
servers = [{
url = "http://10.1.1.152:8080";
url = "http://10.2.2.10:8080";
}];
};
};
@ -65,7 +76,15 @@
music = {
loadBalancer = {
servers = [{
url = "http://10.1.1.152:4533";
url = "http://10.2.2.10:4533";
}];
};
};
deluge = {
loadBalancer = {
servers = [{
url = "http://10.2.2.10:8112";
}];
};
};

18
hosts/nixos/vps/system.nix
View file

@ -6,7 +6,7 @@
./containers.nix
./proxy.nix
../system-default.nix
../../../modules/vpn/tailscale.nix
../../../modules/vpn/server.nix
../../../modules/podman.nix
../../../modules/traefik.nix
../../../modules/borg/client.nix
@ -44,7 +44,6 @@
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 27017 ];
trustedInterfaces = [ "tailscale0" ];
};
};
@ -71,7 +70,20 @@
];
};
services.tailscale-custom.exitNode = true;
services.wireguard-server = {
enable = true;
address = "10.2.2.1/24";
peers = [
{
publicKey = "MCuSF/aFZy7Jq3nI6VpU7jbfZOuEGuMjgpxRWazxtmY=";
allowedIPs = [ "10.2.2.10/32" ];
}
{
publicKey = "xqsOWaCaEK1ehC+66deEQxAN92AYPyL9IrIeM4ujIRM=";
allowedIPs = [ "10.2.2.20/32" ];
}
];
};
services.git-server-custom = {
enable = true;

1
modules/git/server.nix
View file

@ -49,6 +49,7 @@ in
};
service.DISABLE_REGISTRATION = true;
actions.ENABLED = true;
repository.DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
};

2
modules/podman.nix
View file

@ -2,6 +2,8 @@
{
config = {
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
virtualisation = {
podman = {
enable = true;

12
modules/ssh.nix
View file

@ -37,12 +37,13 @@ in
};
"thinkpad" = {
hostname = "100.116.49.65";
hostname = "10.2.2.20";
user = "yanlin";
identityFile = "${keyDir}/thinkpad";
setEnv = {
TERM = "xterm-256color";
};
proxyJump = "vps";
};
"vps" = {
@ -70,13 +71,14 @@ in
identityFile = "${keyDir}/hetzner";
};
"rpi" = {
hostname = "100.117.162.102";
"nfss" = {
hostname = "10.2.2.10";
user = "yanlin";
identityFile = "${keyDir}/rpi";
identityFile = "${keyDir}/nas";
proxyJump = "vps";
};
"nfss" = {
"nfss.lan" = {
hostname = "10.1.1.152";
user = "yanlin";
identityFile = "${keyDir}/nas";

71
modules/vpn/client.nix Normal file
View file

@ -0,0 +1,71 @@
# NOTE: After deploy, get public key with: `sudo sh -c 'wg pubkey < /etc/wireguard/private.key'`
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.wireguard-client;
in
{
options.services.wireguard-client = {
enable = mkEnableOption "WireGuard VPN client";
address = mkOption {
type = types.str;
example = "10.2.2.2/24";
};
serverPublicKey = mkOption { type = types.str; };
serverEndpoint = mkOption {
type = types.str;
example = "vpn.example.com:51820";
};
allowedIPs = mkOption {
type = types.listOf types.str;
default = [ "10.2.2.0/24" ];
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.wireguard-tools ];
systemd.tmpfiles.rules = [
"d /etc/wireguard 0700 root root - -"
"f /etc/wireguard/private.key 0600 root root - -"
];
systemd.services.wireguard-keygen = {
description = "Generate WireGuard private key";
before = [ "wg-quick-wg0.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -s /etc/wireguard/private.key ]; then
${pkgs.wireguard-tools}/bin/wg genkey > /etc/wireguard/private.key
chmod 600 /etc/wireguard/private.key
echo "Public key: $(${pkgs.wireguard-tools}/bin/wg pubkey < /etc/wireguard/private.key)"
fi
'';
};
networking.wg-quick.interfaces.wg0 = {
privateKeyFile = "/etc/wireguard/private.key";
address = [ cfg.address ];
peers = [{
publicKey = cfg.serverPublicKey;
allowedIPs = cfg.allowedIPs;
endpoint = cfg.serverEndpoint;
persistentKeepalive = 25;
}];
};
networking.firewall.trustedInterfaces = [ "wg0" ];
};
}

70
modules/vpn/server.nix Normal file
View file

@ -0,0 +1,70 @@
# NOTE: After deploy, get public key with: `sudo sh -c 'wg pubkey < /etc/wireguard/private.key'`
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.wireguard-server;
in
{
options.services.wireguard-server = {
enable = mkEnableOption "WireGuard VPN server";
address = mkOption {
type = types.str;
example = "10.2.2.1/24";
};
peers = mkOption {
type = types.listOf (types.submodule {
options = {
publicKey = mkOption { type = types.str; };
allowedIPs = mkOption { type = types.listOf types.str; };
};
});
default = [];
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.wireguard-tools ];
systemd.tmpfiles.rules = [
"d /etc/wireguard 0700 root root - -"
"f /etc/wireguard/private.key 0600 root root - -"
];
systemd.services.wireguard-keygen = {
description = "Generate WireGuard private key";
before = [ "wg-quick-wg0.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -s /etc/wireguard/private.key ]; then
${pkgs.wireguard-tools}/bin/wg genkey > /etc/wireguard/private.key
chmod 600 /etc/wireguard/private.key
echo "Public key: $(${pkgs.wireguard-tools}/bin/wg pubkey < /etc/wireguard/private.key)"
fi
'';
};
networking.wg-quick.interfaces.wg0 = {
privateKeyFile = "/etc/wireguard/private.key";
address = [ cfg.address ];
listenPort = 51820;
peers = map (peer: {
inherit (peer) publicKey allowedIPs;
}) cfg.peers;
};
networking.firewall = {
allowedUDPPorts = [ 51820 ];
trustedInterfaces = [ "wg0" ];
};
};
}

53
modules/vpn/tailscale.nix
View file

@ -1,53 +0,0 @@
# NOTE: Auth key file at: `/etc/tailscale/authkey` with mode 600
# content: `tailscale-api-key`
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.tailscale-custom;
isRouter = cfg.exitNode || cfg.subnetRoutes != [];
in
{
options.services.tailscale-custom = {
exitNode = mkOption {
type = types.bool;
default = false;
description = "Advertise this node as an exit node";
};
subnetRoutes = mkOption {
type = types.listOf types.str;
default = [];
example = [ "10.1.1.0/24" "192.168.1.0/24" ];
description = "Subnets to advertise to the Tailscale network";
};
acceptRoutes = mkOption {
type = types.bool;
default = true;
description = "Accept subnet routes advertised by other nodes";
};
};
config = {
services.tailscale = {
enable = true;
authKeyFile = "/etc/tailscale/authkey";
useRoutingFeatures = if isRouter then "server" else "client";
extraUpFlags =
optional cfg.exitNode "--advertise-exit-node"
++ optional (cfg.subnetRoutes != []) "--advertise-routes=${concatStringsSep "," cfg.subnetRoutes}"
++ optional cfg.acceptRoutes "--accept-routes";
};
boot.kernel.sysctl = mkIf isRouter {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
networking.firewall.trustedInterfaces = [ "tailscale0" ];
};
}

203
modules/vpn/wireguard.nix
View file

@ -1,203 +0,0 @@
# NOTE: Private key file at: `/etc/wireguard/private.key` with mode 600
# Generate with: `wg genkey > /etc/wireguard/private.key`
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.wireguard-custom;
in
{
options.services.wireguard-custom = {
enable = mkEnableOption "WireGuard VPN";
mode = mkOption {
type = types.enum [ "server" "client" ];
description = "Whether to run as server (hub) or client (spoke)";
};
interface = mkOption {
type = types.str;
default = "wg0";
description = "WireGuard interface name";
};
listenPort = mkOption {
type = types.port;
default = 51820;
description = "UDP port to listen on (server mode only)";
};
privateKeyFile = mkOption {
type = types.str;
default = "/etc/wireguard/private.key";
description = "Path to private key file";
};
serverConfig = mkOption {
type = types.submodule {
options = {
address = mkOption {
type = types.str;
example = "10.2.2.1/24";
description = "Server IP address with CIDR";
};
peers = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = types.str;
description = "Peer name for identification";
};
publicKey = mkOption {
type = types.str;
description = "Peer's public key";
};
allowedIPs = mkOption {
type = types.listOf types.str;
description = "IP addresses this peer is allowed to use";
};
};
});
default = [];
description = "List of client peers";
};
};
};
description = "Server-specific configuration";
};
clientConfig = mkOption {
type = types.submodule {
options = {
address = mkOption {
type = types.str;
example = "10.2.2.20/24";
description = "Client IP address with CIDR";
};
serverPublicKey = mkOption {
type = types.str;
description = "Server's public key";
};
serverEndpoint = mkOption {
type = types.str;
example = "vpn.example.com:51820";
description = "Server endpoint (host:port)";
};
allowedIPs = mkOption {
type = types.listOf types.str;
default = [ "10.2.2.0/24" ];
description = "IP ranges to route through the tunnel";
};
};
};
description = "Client-specific configuration";
};
};
config = mkIf cfg.enable {
# Install WireGuard tools
environment.systemPackages = with pkgs; [ wireguard-tools ];
# Create private key file if it doesn't exist
systemd.tmpfiles.rules = [
"d /etc/wireguard 0700 root root - -"
"f ${cfg.privateKeyFile} 0600 root root - -"
];
# Generate private key on first run
systemd.services.wireguard-keygen = {
description = "Generate WireGuard private key";
before = [ "wg-quick-${cfg.interface}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -s ${cfg.privateKeyFile} ]; then
echo "Generating WireGuard private key..."
${pkgs.wireguard-tools}/bin/wg genkey > ${cfg.privateKeyFile}
chmod 600 ${cfg.privateKeyFile}
echo "Private key generated. Public key:"
${pkgs.wireguard-tools}/bin/wg pubkey < ${cfg.privateKeyFile}
echo "Please add this public key to your peer configurations."
fi
'';
};
# WireGuard interface configuration (combined server and client)
networking.wg-quick.interfaces = {
${cfg.interface} = mkMerge [
# Common configuration
{
privateKeyFile = cfg.privateKeyFile;
}
# Server-specific configuration
(mkIf (cfg.mode == "server") {
address = [ cfg.serverConfig.address ];
listenPort = cfg.listenPort;
# Enable IP forwarding and NAT for server
preUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
'';
peers = map (peer: {
publicKey = peer.publicKey;
allowedIPs = peer.allowedIPs;
}) cfg.serverConfig.peers;
})
# Client-specific configuration
(mkIf (cfg.mode == "client") {
address = [ cfg.clientConfig.address ];
peers = [{
publicKey = cfg.clientConfig.serverPublicKey;
allowedIPs = cfg.clientConfig.allowedIPs;
endpoint = cfg.clientConfig.serverEndpoint;
persistentKeepalive = 25;
}];
})
];
};
# Firewall configuration
networking.firewall = mkMerge [
# Server firewall rules
(mkIf (cfg.mode == "server") {
allowedUDPPorts = [ cfg.listenPort ];
trustedInterfaces = [ cfg.interface ];
})
# Client firewall rules
(mkIf (cfg.mode == "client") {
trustedInterfaces = [ cfg.interface ];
})
];
# Enable IP forwarding for server
boot.kernel.sysctl = mkIf (cfg.mode == "server") {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
};
}