Replace tailscale with wireguard

2025-09-10 18:57:24 +02:00 · 2025-09-10 18:57:24 +02:00 · d0084adcc9
commit d0084adcc9
parent 81f59a8148
8 changed files with 278 additions and 77 deletions
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@ -5,7 +5,7 @@
    ./containers.nix  # Host-specific container definitions
    ./proxy.nix       # Host-specific Traefik dynamic configuration
    ./disk-health.nix # Host-specific disk health monitoring
-    ../../../modules/tailscale.nix
+    ../../../modules/wireguard.nix
    ../../../modules/podman.nix
    ../../../modules/traefik.nix
    ../../../modules/samba.nix
@ -290,6 +290,20 @@
    '';
  };

+  # WireGuard VPN configuration (HS as client/spoke)
+  services.wireguard-custom = {
+    enable = true;
+    mode = "client";
+    clientConfig = {
+      address = "10.2.2.20/24";
+      # Public key will be generated when VPS is configured  
+      # Replace with actual public key from VPS after initial setup
+      serverPublicKey = "REPLACE_WITH_VPS_PUBLIC_KEY";
+      serverEndpoint = "YOUR_VPS_IP:51820";  # Replace with actual VPS public IP
+      allowedIPs = [ "10.2.2.0/24" ];
+    };
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
--- a/hosts/nixos/vps/proxy.nix
+++ b/hosts/nixos/vps/proxy.nix
@ -56,20 +56,20 @@
          };
        };

-        # Photo service backend
+        # Photo service backend (via WireGuard)
        photo = {
          loadBalancer = {
            servers = [{
-              url = "http://hs.yanlincs.com:5000";
+              url = "http://10.2.2.20:5000";
            }];
          };
        };

-        # Cloud service backend
+        # Cloud service backend (via WireGuard)
        cloud = {
          loadBalancer = {
            servers = [{
-              url = "http://hs.yanlincs.com:5001";
+              url = "http://10.2.2.20:5001";
            }];
          };
        };
--- a/hosts/nixos/vps/system.nix
+++ b/hosts/nixos/vps/system.nix
@ -4,7 +4,7 @@
    ./disk-config.nix
    ./containers.nix  # Host-specific container definitions
    ./proxy.nix       # Host-specific Traefik dynamic configuration
-    ../../../modules/tailscale.nix
+    ../../../modules/wireguard.nix
    ../../../modules/podman.nix
    ../../../modules/traefik.nix
    ../../../modules/borg.nix
@ -135,6 +135,24 @@
    '';
  };

+  # WireGuard VPN configuration (VPS as hub/server)
+  services.wireguard-custom = {
+    enable = true;
+    mode = "server";
+    serverConfig = {
+      address = "10.2.2.1/24";
+      peers = [
+        {
+          name = "hs";
+          # Public key will be generated when HS is configured
+          # Replace with actual public key from HS after initial setup
+          publicKey = "REPLACE_WITH_HS_PUBLIC_KEY";
+          allowedIPs = [ "10.2.2.20/32" ];
+        }
+      ];
+    };
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave