Started with work on own wireguard server

2025-05-08 13:01:33 +02:00 · 2025-05-08 13:01:33 +02:00 · aa3c25284d
commit aa3c25284d
parent d3776c0551
7 changed files with 79 additions and 25 deletions
--- a/secrets/caddy_config
+++ b/secrets/caddy_config
@ -1,25 +0,0 @@
-{
-	email jurnwubben@gmail.com
-
-}
-
-files.jsw.tf {
-	log {
-		output file /var/log/caddy/access-files.jsw.tf.log
-	}
-
-	handle_path /seafhttp/* {
-		reverse_proxy * unix//run/seafile/server.sock
-	}
-	handle_path /* {
-		reverse_proxy * unix//run/seahub/gunicorn.sock
-	}
-}
-
-share.jsw.tf www.share.jsw.tf {
-	log {
-		output file /var/log/caddy/access-share.jsw.tf.log
-	}
-
-	reverse_proxy :9000
-}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -12,5 +12,8 @@
        else "root";
    };
    password.file = ./password.age;
+
+    wg-lapserv-private.file = ./wg-lapserv-private.age;
+    wg-laptop-private.file = ./wg-laptop-private.age;
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -10,4 +10,7 @@ in {
  "transfer-sh.age".publicKeys = systems;
  "password.age".publicKeys = systems;
  "dcbot.age".publicKeys = systems;
+
+  "wg-lapserv-private.age".publicKeys = systems;
+  "wg-laptop-private.age".publicKeys = systems;
 }
--- a/secrets/wg-lapserv-private.age
+++ b/secrets/wg-lapserv-private.age
--- a/secrets/wg-laptop-private.age
+++ b/secrets/wg-laptop-private.age
--- a/system/network/default.nix
+++ b/system/network/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./avahi.nix
    ./tailscale.nix
+    ./wireguard.nix
  ];

  networking = {
--- a/system/network/wireguard.nix
+++ b/system/network/wireguard.nix
@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf optionals;
+  inherit (config.networking) hostName;
+  iptables = lib.getExe' pkgs.iptables "iptables";
+
+  port = 53;
+  server = "lapserv";
+
+  serverCfg = {
+    externalInterface = "eth0";
+    privateKeyFile = config.age.secrets.wg-lapserv-private.path;
+    publicKey = "aM+OrvByr63RxKsU9hu0A1lKJr8fPHifHDhBekkHR0c=";
+    publicIp = "80.242.224.170";
+    ip = "10.100.0.1";
+  };
+  deviceConfig = {
+    laptop = {
+      publicKey = config.age.secrets.wg-laptop-private.path;
+      privateKeyFile = "1su1FfHuEYIvJLaZPwpN86kmH19d/NH/zuh9DjIOyQI=";
+      ip = "10.100.0.2";
+    };
+  };
+
+  isServer = server == config.networking.hostName;
+  currentConfig =
+    if isServer
+    then serverCfg
+    else deviceConfig.${hostName};
+in {
+  networking.nat = mkIf isServer {
+    enable = true;
+    inherit (serverCfg) externalInterface;
+    internalInterfaces = ["wg0"];
+  };
+  networking.firewall.allowedUDPPorts = [port];
+
+  networking.wireguard.interfaces.wg0 = {
+    inherit (currentConfig) privateKeyFile;
+
+    listenPort = port;
+    ips = ["${currentConfig.ip}/24"];
+
+    peers =
+      []
+      ++ (optionals isServer (builtins.concatMap (x: {
+          inherit (x) publicKey;
+          allowedIPs = ["${x.ip}/32"];
+        })
+        (builtins.attrValues
+          deviceConfig)))
+      ++ (optionals (!isServer) [
+        {
+          inherit (serverCfg) publicKey;
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "${serverCfg.publicIp}:${builtins.toString port}";
+          persistentKeepalive = 25;
+        }
+      ]);
+
+    postSetup = mkIf isServer ''
+      ${iptables} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+    postShutdown = mkIf isServer ''
+      ${iptables} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+  };
+}