mirror of
https://github.com/nmasur/dotfiles
synced 2024-12-25 06:34:52 +00:00
refactor wireguard and add port forwarding
This commit is contained in:
parent
7aacfe7887
commit
b0aa82e7d0
@ -27,15 +27,46 @@ nixpkgs.lib.nixosSystem {
|
||||
publicKey =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
|
||||
|
||||
# Backup config
|
||||
# Nextcloud backup config
|
||||
backupS3 = {
|
||||
endpoint = "s3.us-west-002.backblazeb2.com";
|
||||
bucket = "noahmasur-backup";
|
||||
accessKeyId = "0026b0e73b2e2c80000000004";
|
||||
};
|
||||
|
||||
# Grant access to Jellyfin directories from nextcloud
|
||||
# Grant access to Jellyfin directories from Nextcloud
|
||||
users.users.nextcloud.extraGroups = [ "jellyfin" ];
|
||||
|
||||
# Wireguard config for Transmission
|
||||
networking.wireguard.interfaces.wg0 = {
|
||||
|
||||
# The local IPs for this machine within the Wireguard network
|
||||
# Any inbound traffic bound for these IPs should be kept on localhost
|
||||
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
||||
|
||||
peers = [{
|
||||
|
||||
# Identity of Wireguard target peer (VPN)
|
||||
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
||||
|
||||
# The public internet address of the target peer
|
||||
endpoint = "86.106.143.132:51820";
|
||||
|
||||
# Which outgoing IP ranges should be sent through Wireguard
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
|
||||
# Send heartbeat signal within the network
|
||||
persistentKeepalive = 25;
|
||||
|
||||
}];
|
||||
|
||||
};
|
||||
|
||||
# VPN port forwarding
|
||||
services.transmission.settings.peer-port = 57599;
|
||||
|
||||
# Grant access to Transmission directories from Jellyfin
|
||||
users.users.jellyfin.extraGroups = [ "transmission" ];
|
||||
}
|
||||
./hardware-configuration.nix
|
||||
../common.nix
|
||||
|
@ -13,7 +13,9 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
config = let
|
||||
namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
|
||||
in {
|
||||
|
||||
# Setup transmission
|
||||
services.transmission = {
|
||||
@ -33,11 +35,11 @@ in {
|
||||
|
||||
# Bind transmission to wireguard namespace
|
||||
systemd.services.transmission = {
|
||||
bindsTo = [ "netns@wg.service" ];
|
||||
bindsTo = [ "netns@${namespace}.service" ];
|
||||
requires = [ "network-online.target" ];
|
||||
after = [ "wireguard-wg0.service" ];
|
||||
unitConfig.JoinsNamespaceOf = "netns@wg.service";
|
||||
serviceConfig.NetworkNamespacePath = "/var/run/netns/wg";
|
||||
unitConfig.JoinsNamespaceOf = "netns@${namespace}.service";
|
||||
serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}";
|
||||
};
|
||||
|
||||
# Create reverse proxy for web UI
|
||||
@ -60,8 +62,8 @@ in {
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up
|
||||
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
|
||||
${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up
|
||||
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1,77 +1,71 @@
|
||||
{ config, pkgs, ... }:
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
let privateKeyFile = "/private/wireguard/wg0";
|
||||
options.networking.wireguard = {
|
||||
|
||||
in {
|
||||
encryptedPrivateKey = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Nix path to age-encrypted client private key";
|
||||
default = ../../private/wireguard.age;
|
||||
};
|
||||
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
wg0 = {
|
||||
};
|
||||
|
||||
# The local IPs for this machine within the Wireguard network
|
||||
# Any inbound traffic bound for these IPs should be kept on localhost
|
||||
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
||||
config = {
|
||||
|
||||
# Establishes identity of this machine
|
||||
generatePrivateKeyFile = false;
|
||||
privateKeyFile = privateKeyFile;
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
wg0 = {
|
||||
|
||||
peers = [{
|
||||
# Establishes identity of this machine
|
||||
generatePrivateKeyFile = false;
|
||||
privateKeyFile = "/private/wireguard/wg0";
|
||||
|
||||
# Identity of Wireguard target peer (VPN)
|
||||
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
||||
|
||||
# Which outgoing IP ranges should be sent through Wireguard
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
|
||||
# The public internet address of the target peer
|
||||
endpoint = "86.106.143.132:51820";
|
||||
|
||||
# Send heartbeat signal within the network
|
||||
persistentKeepalive = 25;
|
||||
|
||||
}];
|
||||
|
||||
# Move to network namespace for isolating programs
|
||||
interfaceNamespace = "wg";
|
||||
# Move to network namespace for isolating programs
|
||||
interfaceNamespace = "wg";
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Create namespace for Wireguard
|
||||
# This allows us to isolate specific programs to Wireguard
|
||||
systemd.services."netns@" = {
|
||||
description = "%I network namespace";
|
||||
before = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
||||
# Create namespace for Wireguard
|
||||
# This allows us to isolate specific programs to Wireguard
|
||||
systemd.services."netns@" = {
|
||||
description = "%I network namespace";
|
||||
before = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Create private key file for wireguard
|
||||
systemd.services.wireguard-private-key = {
|
||||
wantedBy = [ "wireguard-wg0.service" ];
|
||||
requiredBy = [ "wireguard-wg0.service" ];
|
||||
before = [ "wireguard-wg0.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
# Create private key file for wireguard
|
||||
systemd.services.wireguard-private-key = {
|
||||
wantedBy = [ "wireguard-wg0.service" ];
|
||||
requiredBy = [ "wireguard-wg0.service" ];
|
||||
before = [ "wireguard-wg0.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = let
|
||||
encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
|
||||
privateKeyFile =
|
||||
config.networking.wireguard.interfaces.wg0.privateKeyFile;
|
||||
in ''
|
||||
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
||||
if [ ! -f "${privateKeyFile}" ]; then
|
||||
${pkgs.age}/bin/age --decrypt \
|
||||
--identity ${config.identityFile} \
|
||||
--output ${privateKeyFile} \
|
||||
${builtins.toString encryptedPrivateKey}
|
||||
chmod 0700 ${privateKeyFile}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
script = ''
|
||||
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
||||
if [ ! -f "${privateKeyFile}" ]; then
|
||||
${pkgs.age}/bin/age --decrypt \
|
||||
--identity ${config.identityFile} \
|
||||
--output ${privateKeyFile} \
|
||||
${builtins.toString ../../private/wireguard.age}
|
||||
chmod 0700 ${privateKeyFile}
|
||||
fi
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user