From b6714ee64f472b4e08cef8a6aa76c423771fab5f Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Sat, 18 Oct 2025 14:26:06 +0200 Subject: [PATCH] Refactor the clients --- .../wireguard/wireguard-server.nix | 106 ++++++++++-------- systems/macbook/macbook.nix | 2 +- systems/macbook/wireguard.nix | 55 +++++---- systems/selene/system.nix | 2 +- 4 files changed, 85 insertions(+), 80 deletions(-) diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix index b1e50fc..797f9b0 100644 --- a/modules/servermodules/wireguard/wireguard-server.nix +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -1,58 +1,68 @@ +let + allowedIPs = [ "10.100.0.1/24" ]; + port = 51820; + publicIp = "37.27.207.39"; +in { - pkgs, - config, - ... -}: -{ - # enable NAT - networking.nat.enable = true; - networking.nat.externalInterface = "eth0"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.firewall = { - allowedUDPPorts = [ 51820 ]; - }; + serverModule = + { + pkgs, + config, + ... + }: + { + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ port ]; + }; - age.secrets.wg-selene = { - file = ../../../keys/wg-selene; - owner = "selene"; - }; - networking.wireguard.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. - wg0 = { - # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; + age.secrets.wg-selene = { + file = ../../../keys/wg-selene; + owner = "selene"; + }; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = allowedIPs; - # The port that WireGuard listens to. Must be accessible by the client. - listenPort = 51820; + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = port; - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - # postSetup = '' - # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - # ''; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + # postSetup = '' + # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; - # # This undoes the above command - # postShutdown = '' - # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - # ''; + # # This undoes the above command + # postShutdown = '' + # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; - # Path to the private key file. - # - # Note: The private key can also be included inline via the privateKey option, - # but this makes the private key world-readable; thus, using privateKeyFile is - # recommended. + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. - privateKeyFile = config.age.secrets.wg-selene.path; + privateKeyFile = config.age.secrets.wg-selene.path; - peers = [ - # List of allowed peers. - { # Feel free to give a meaningful name - # Public key of the peer (not a file path). - publicKey = (builtins.readFile ../../../keys/wg-macbook.pub); - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.100.0.2/32" ]; - } - ]; + peers = [ + # List of allowed peers. + (import ../../systems/macbook/wireguard.nix).peerConfig + ]; + }; + }; }; + + infoForClients = { + endpoint = "${publicIp}:${builtins.toString port}"; + allowedIPs = allowedIPs; + publicKey = builtins.readFile ../../../keys/wg-selene.pub; + persistentKeepalive = 25; }; -} \ No newline at end of file +} diff --git a/systems/macbook/macbook.nix b/systems/macbook/macbook.nix index 046c0dc..8ce6646 100644 --- a/systems/macbook/macbook.nix +++ b/systems/macbook/macbook.nix @@ -12,7 +12,7 @@ nix-darwin.lib.darwinSystem { (import ../../modules/usermodules/darwinsettings.nix self) home-manager.darwinModules.home-manager ./users.nix - ./wireguard.nix + (import ./wireguard.nix).systemModule ]; specialArgs = { diff --git a/systems/macbook/wireguard.nix b/systems/macbook/wireguard.nix index f299683..35e93c8 100644 --- a/systems/macbook/wireguard.nix +++ b/systems/macbook/wireguard.nix @@ -1,37 +1,32 @@ -{ config, ... }: +let + ip = "10.100.0.2/32"; + publicKey = (builtins.readFile ../../keys/wg-macbook.pub); +in { - age.secrets.wg-private.file = ../../keys/wg-macbook; - networking.wg-quick.interfaces.wg-selene = { - privateKeyFile = config.age.secrets.wg-private.path; + systemModule = { config, ... }: { + age.secrets.wg-private.file = ../../keys/wg-macbook; + networking.wg-quick.interfaces.wg-selene = { + privateKeyFile = config.age.secrets.wg-private.path; - # The internal IP address assigned to this client by the server. - # The /24 subnet mask is important for knowing the VPN's local network. - address = [ "10.100.0.2/32" ]; + # The internal IP address assigned to this client by the server. + # The /24 subnet mask is important for knowing the VPN's local network. + address = [ ip ]; - # DNS server(s) to use when the tunnel is active. - # This is critical for resolving hostnames when all traffic is routed. - dns = [ - "1.1.1.1" - "1.0.0.1" - ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 + # DNS server(s) to use when the tunnel is active. + # This is critical for resolving hostnames when all traffic is routed. + dns = [ + "1.1.1.1" + "1.0.0.1" + ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 - peers = [ - { - # Public key of the SERVER. - publicKey = builtins.readFile ../../keys/wg-selene.pub; + peers = [ + (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients + ]; + }; + }; - # The server's public IP address and listening port. - endpoint = "37.27.207.39:51820"; - - # This is the most important part for a "VPN" setup. - # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel. - # Add "::/0" if your server and network support IPv6. - allowedIPs = [ "10.100.0.1/24" ]; - - # Optional but highly recommended for clients behind NAT. - # It sends a packet every 25 seconds to keep the connection open. - persistentKeepalive = 25; - } - ]; + peerConfig = { + publicKey = publicKey; + allowedIPs = [ip]; }; } diff --git a/systems/selene/system.nix b/systems/selene/system.nix index e580398..bc87a1b 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -17,7 +17,7 @@ nixpkgs.lib.nixosSystem { (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com") ../../modules/servermodules/grafana/grafana.nix ../../modules/servermodules/jellyfin/jellyfin.nix - ../../modules/servermodules/wireguard/wireguard-server.nix + (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule ./volumes.nix agenix.nixosModules.default ];