Git/Nixconfigs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Refactor the clients

Browse source
This commit is contained in:
Maxiem Geldhof 2025-10-18 14:26:06 +02:00
parent 195a5e1540
commit b6714ee64f
4 changed files with 85 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

32
modules/servermodules/wireguard/wireguard-server.nix
View file

@ -1,15 +1,22 @@
let
allowedIPs = [ "10.100.0.1/24" ];
port = 51820;
publicIp = "37.27.207.39";
in
{ {
serverModule =
{
pkgs, pkgs,
config, config,
... ...
}: }:
{ {
# enable NAT # enable NAT
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.externalInterface = "eth0"; networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ]; networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ 51820 ]; allowedUDPPorts = [ port ];
}; };
age.secrets.wg-selene = { age.secrets.wg-selene = {
@ -20,10 +27,10 @@
# "wg0" is the network interface name. You can name the interface arbitrarily. # "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = { wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface. # Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ]; ips = allowedIPs;
# The port that WireGuard listens to. Must be accessible by the client. # The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820; listenPort = port;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
@ -46,13 +53,16 @@
peers = [ peers = [
# List of allowed peers. # List of allowed peers.
{ # Feel free to give a meaningful name (import ../../systems/macbook/wireguard.nix).peerConfig
# Public key of the peer (not a file path).
publicKey = (builtins.readFile ../../../keys/wg-macbook.pub);
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
]; ];
}; };
}; };
};
infoForClients = {
endpoint = "${publicIp}:${builtins.toString port}";
allowedIPs = allowedIPs;
publicKey = builtins.readFile ../../../keys/wg-selene.pub;
persistentKeepalive = 25;
};
} }

2
systems/macbook/macbook.nix
View file

@ -12,7 +12,7 @@ nix-darwin.lib.darwinSystem {
(import ../../modules/usermodules/darwinsettings.nix self) (import ../../modules/usermodules/darwinsettings.nix self)
home-manager.darwinModules.home-manager home-manager.darwinModules.home-manager
./users.nix ./users.nix
./wireguard.nix (import ./wireguard.nix).systemModule
]; ];
specialArgs = { specialArgs = {

31
systems/macbook/wireguard.nix
View file

@ -1,12 +1,16 @@
{ config, ... }: let
ip = "10.100.0.2/32";
publicKey = (builtins.readFile ../../keys/wg-macbook.pub);
in
{ {
systemModule = { config, ... }: {
age.secrets.wg-private.file = ../../keys/wg-macbook; age.secrets.wg-private.file = ../../keys/wg-macbook;
networking.wg-quick.interfaces.wg-selene = { networking.wg-quick.interfaces.wg-selene = {
privateKeyFile = config.age.secrets.wg-private.path; privateKeyFile = config.age.secrets.wg-private.path;
# The internal IP address assigned to this client by the server. # The internal IP address assigned to this client by the server.
# The /24 subnet mask is important for knowing the VPN's local network. # The /24 subnet mask is important for knowing the VPN's local network.
address = [ "10.100.0.2/32" ]; address = [ ip ];
# DNS server(s) to use when the tunnel is active. # DNS server(s) to use when the tunnel is active.
# This is critical for resolving hostnames when all traffic is routed. # This is critical for resolving hostnames when all traffic is routed.
@ -16,22 +20,13 @@
]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8
peers = [ peers = [
{ (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients
# Public key of the SERVER.
publicKey = builtins.readFile ../../keys/wg-selene.pub;
# The server's public IP address and listening port.
endpoint = "37.27.207.39:51820";
# This is the most important part for a "VPN" setup.
# 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel.
# Add "::/0" if your server and network support IPv6.
allowedIPs = [ "10.100.0.1/24" ];
# Optional but highly recommended for clients behind NAT.
# It sends a packet every 25 seconds to keep the connection open.
persistentKeepalive = 25;
}
]; ];
}; };
};
peerConfig = {
publicKey = publicKey;
allowedIPs = [ip];
};
} }

2
systems/selene/system.nix
View file

@ -17,7 +17,7 @@ nixpkgs.lib.nixosSystem {
(import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com") (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com")
../../modules/servermodules/grafana/grafana.nix ../../modules/servermodules/grafana/grafana.nix
../../modules/servermodules/jellyfin/jellyfin.nix ../../modules/servermodules/jellyfin/jellyfin.nix
../../modules/servermodules/wireguard/wireguard-server.nix (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule
./volumes.nix ./volumes.nix
agenix.nixosModules.default agenix.nixosModules.default
]; ];