68 lines
2.1 KiB
Nix
68 lines
2.1 KiB
Nix
let
|
|
allowedIPs = [ "10.100.0.1/24" ];
|
|
port = 51820;
|
|
publicIp = "37.27.207.39";
|
|
in
|
|
{
|
|
serverModule =
|
|
{
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
# enable NAT
|
|
networking.nat.enable = true;
|
|
networking.nat.externalInterface = "eth0";
|
|
networking.nat.internalInterfaces = [ "wg0" ];
|
|
networking.firewall = {
|
|
allowedUDPPorts = [ port ];
|
|
};
|
|
|
|
age.secrets.wg-selene = {
|
|
file = ../../../keys/wg-selene;
|
|
owner = "selene";
|
|
};
|
|
networking.wireguard.interfaces = {
|
|
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
|
wg0 = {
|
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
|
ips = allowedIPs;
|
|
|
|
# The port that WireGuard listens to. Must be accessible by the client.
|
|
listenPort = port;
|
|
|
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
|
# postSetup = ''
|
|
# ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
# '';
|
|
|
|
# # This undoes the above command
|
|
# postShutdown = ''
|
|
# ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
# '';
|
|
|
|
# Path to the private key file.
|
|
#
|
|
# Note: The private key can also be included inline via the privateKey option,
|
|
# but this makes the private key world-readable; thus, using privateKeyFile is
|
|
# recommended.
|
|
|
|
privateKeyFile = config.age.secrets.wg-selene.path;
|
|
|
|
peers = [
|
|
# List of allowed peers.
|
|
(import ../../systems/macbook/wireguard.nix).peerConfig
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
infoForClients = {
|
|
endpoint = "${publicIp}:${builtins.toString port}";
|
|
allowedIPs = allowedIPs;
|
|
publicKey = builtins.readFile ../../../keys/wg-selene.pub;
|
|
persistentKeepalive = 25;
|
|
};
|
|
}
|