diff --git a/secrets/caddy_config b/secrets/caddy_config deleted file mode 100644 index 4f782b9..0000000 --- a/secrets/caddy_config +++ /dev/null @@ -1,25 +0,0 @@ -{ - email jurnwubben@gmail.com - -} - -files.jsw.tf { - log { - output file /var/log/caddy/access-files.jsw.tf.log - } - - handle_path /seafhttp/* { - reverse_proxy * unix//run/seafile/server.sock - } - handle_path /* { - reverse_proxy * unix//run/seahub/gunicorn.sock - } -} - -share.jsw.tf www.share.jsw.tf { - log { - output file /var/log/caddy/access-share.jsw.tf.log - } - - reverse_proxy :9000 -} diff --git a/secrets/default.nix b/secrets/default.nix index 517f7bc..4d2c03e 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -12,5 +12,8 @@ else "root"; }; password.file = ./password.age; + + wg-lapserv-private.file = ./wg-lapserv-private.age; + wg-laptop-private.file = ./wg-laptop-private.age; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0a8489e..d6e3f64 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,7 @@ in { "transfer-sh.age".publicKeys = systems; "password.age".publicKeys = systems; "dcbot.age".publicKeys = systems; + + "wg-lapserv-private.age".publicKeys = systems; + "wg-laptop-private.age".publicKeys = systems; } diff --git a/secrets/wg-lapserv-private.age b/secrets/wg-lapserv-private.age new file mode 100644 index 0000000..87e2b61 Binary files /dev/null and b/secrets/wg-lapserv-private.age differ diff --git a/secrets/wg-laptop-private.age b/secrets/wg-laptop-private.age new file mode 100644 index 0000000..a9bd3b0 Binary files /dev/null and b/secrets/wg-laptop-private.age differ diff --git a/system/network/default.nix b/system/network/default.nix index 93ceba7..073f9ef 100644 --- a/system/network/default.nix +++ b/system/network/default.nix @@ -3,6 +3,7 @@ imports = [ ./avahi.nix ./tailscale.nix + ./wireguard.nix ]; networking = { diff --git a/system/network/wireguard.nix b/system/network/wireguard.nix new file mode 100644 index 0000000..7dcaa49 --- /dev/null +++ b/system/network/wireguard.nix @@ -0,0 +1,72 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkIf optionals; + inherit (config.networking) hostName; + iptables = lib.getExe' pkgs.iptables "iptables"; + + port = 53; + server = "lapserv"; + + serverCfg = { + externalInterface = "eth0"; + privateKeyFile = config.age.secrets.wg-lapserv-private.path; + publicKey = "aM+OrvByr63RxKsU9hu0A1lKJr8fPHifHDhBekkHR0c="; + publicIp = "80.242.224.170"; + ip = "10.100.0.1"; + }; + deviceConfig = { + laptop = { + publicKey = config.age.secrets.wg-laptop-private.path; + privateKeyFile = "1su1FfHuEYIvJLaZPwpN86kmH19d/NH/zuh9DjIOyQI="; + ip = "10.100.0.2"; + }; + }; + + isServer = server == config.networking.hostName; + currentConfig = + if isServer + then serverCfg + else deviceConfig.${hostName}; +in { + networking.nat = mkIf isServer { + enable = true; + inherit (serverCfg) externalInterface; + internalInterfaces = ["wg0"]; + }; + networking.firewall.allowedUDPPorts = [port]; + + networking.wireguard.interfaces.wg0 = { + inherit (currentConfig) privateKeyFile; + + listenPort = port; + ips = ["${currentConfig.ip}/24"]; + + peers = + [] + ++ (optionals isServer (builtins.concatMap (x: { + inherit (x) publicKey; + allowedIPs = ["${x.ip}/32"]; + }) + (builtins.attrValues + deviceConfig))) + ++ (optionals (!isServer) [ + { + inherit (serverCfg) publicKey; + allowedIPs = ["0.0.0.0/0"]; + endpoint = "${serverCfg.publicIp}:${builtins.toString port}"; + persistentKeepalive = 25; + } + ]); + + postSetup = mkIf isServer '' + ${iptables} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE + ''; + postShutdown = mkIf isServer '' + ${iptables} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE + ''; + }; +}