diff options
| author | Dylan <boss@tehbox.org> | 2025-09-16 22:10:50 +1200 |
|---|---|---|
| committer | Dylan <boss@tehbox.org> | 2025-09-16 22:10:50 +1200 |
| commit | 12f53416b8591fd9ee9569b40796f355c83f3ce7 (patch) | |
| tree | 927880f8f47633b671534b2fc7a58c1749049433 /computers | |
| parent | d1395f9e6768551967f85128ccab19d12dec4c6f (diff) | |
| download | nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.tar.gz nixos-configuration-12f53416b8591fd9ee9569b40796f355c83f3ce7.zip | |
feat: added wireguard to server and client
Diffstat (limited to 'computers')
| -rw-r--r-- | computers/nixnode.nix (renamed from computers/server.nix) | 120 | ||||
| -rw-r--r-- | computers/nixy.nix | 75 |
2 files changed, 119 insertions, 76 deletions
diff --git a/computers/server.nix b/computers/nixnode.nix index 4e66375..baeadcb 100644 --- a/computers/server.nix +++ b/computers/nixnode.nix @@ -7,7 +7,6 @@ { imports = [ # Include the results of the hardware scan. - ../hardware-setups/linode.nix ../modules/nix.nix inputs.STK.nixosModules.default inputs.sops.nixosModules.sops @@ -21,10 +20,10 @@ # Define on which hard drive you want to install Grub. # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - # networking.hostName = "nixos"; # Define your hostname. + networking.hostName = "nixos"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. # time.timeZone = "Europe/Amsterdam"; @@ -46,74 +45,60 @@ security.sudo.wheelNeedsPassword = false; - sops.defaultSopsFile = ../secrets/test.yaml; + sops.defaultSopsFile = ../secrets/general.yaml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/home/boss/.config/sops/age/keys.txt"; sops.secrets = { - test-value = {}; + #"wg/nixy/pub" = { }; + "wg/nixnode/priv" = { }; }; - + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 51820 ]; + }; + + # Wireguard + networking = { + nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = [ "wg0" ]; + }; + + wireguard.interfaces.wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + + postSetup = '' +${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE +''; + postShutdown = '' +${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE +''; + + privateKeyFile = config.sops.secrets."wg/nixnode/priv".path; + + peers = [ + { + name = "nixy"; + publicKey = "FMkFU9k+YeCvj48+WDVglySgoncbITqkS//o2e+TClY="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + services.httpd = { - enable = false; + enable = true; virtualHosts."172.105.172.191" = { documentRoot = "/srv/httpd"; }; }; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # services.pulseaudio.enable = true; - # OR - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.boss = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; # Enable ‘sudo’ for the user. - home = "/home/boss"; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOukEKExoF6vr3vciQN8pBdd4FtZtRzqIGFJrUvllOY boss@nixy" ]; - }; - - # programs.firefox.enable = true; - - # List packages installed in system profile. - # You can use https://search.nixos.org/ to find more packages (and options). - environment.systemPackages = with pkgs; [ - vim - emacs - inetutils - mtr - sysstat - git - ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; services.openssh = { enable = true; settings.PermitRootLogin = "no"; @@ -132,6 +117,23 @@ }; }; + users.users.boss = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; # Enable ‘sudo’ for the user. + home = "/home/boss"; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOukEKExoF6vr3vciQN8pBdd4FtZtRzqIGFJrUvllOY boss@nixy" ]; + }; + + environment.systemPackages = with pkgs; [ + vim + emacs + inetutils + mtr + sysstat + git + ]; + + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/computers/nixy.nix b/computers/nixy.nix index e7b7fbe..fd79b47 100644 --- a/computers/nixy.nix +++ b/computers/nixy.nix @@ -5,11 +5,11 @@ { config, pkgs, inputs, ... }: { imports = - [ # Include the results of the hardware scan. - ../hardware-setups/tuf.nix + [ ../modules/nix.nix ../modules/nvidia.nix inputs.YATwm.nixosModules.default + inputs.sops.nixosModules.sops #inputs.spicetify-nix.nixosModules.default ]; @@ -31,29 +31,69 @@ # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + sops.defaultSopsFile = ../secrets/general.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/boss/.config/sops/age/keys.txt"; + + sops.secrets = { + #"wg/nixnode/pub" = { }; + "wg/nixy/priv" = { + restartUnits = [ "nm-file-secret-agent.service" ]; + group = "networkmanager"; + mode = "440"; + }; + }; + networking.firewall = { allowedUDPPorts = [ 51820 ]; }; - networking.wireguard.enable = false; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.200.200.2/32" ]; - listenPort = 51820; - - privateKeyFile = "/home/boss/.wg/peer_A.key"; - - peers = [ + networking.networkmanager.ensureProfiles = { + profiles = { + wg-nixnode = { + connection = { + id = "wg-nixnode"; + autoconnect = "false"; + interface-name = "wg0"; + type = "wireguard"; + }; + ipv4 = { + address1 = "10.100.0.2/32"; + may-fail = "false"; + method = "manual"; + }; + ipv6 = { + method = "disabled"; + }; + wireguard = { + listen-port = "51820"; + private-key-flags = 1; + #private-key = "dummy"; + }; + proxy = { }; + "wireguard-peer./6bWy02DhOSjaeXk+ol5ATgEYDDJvL+mTO9SCNvfIUQ=" = { + allowed-ips = "0.0.0.0/0;"; + endpoint = "172.105.172.191:51820"; + persistent-keepalive = "25"; + }; + }; + }; + secrets.entries = [ { - publicKey = "wQSg97FyVqWqkwMbmq1SLolf/MWlt9tIJuE5vKyDiRI="; - - allowedIPs = [ "0.0.0.0/0" ]; - - endpoint = "139.144.99.248:51820"; - - persistentKeepalive = 25; + matchId = "wg-nixnode"; + matchType = "wireguard"; + matchSetting = "wireguard"; + key = "private-key"; + file = config.sops.secrets."wg/nixy/priv".path; } ]; }; + systemd.services."nm-file-secret-agent" = { + serviceConfig.User = "boss"; + }; + + # Set your time zone. time.timeZone = "NZ"; @@ -167,6 +207,7 @@ neofetch pinentry-gtk2 git + nm-file-secret-agent ]; documentation.dev.enable = true; |