refactor wireguard and add port forwarding

This commit is contained in:
Noah Masur 2022-10-10 03:13:16 +00:00
parent 7aacfe7887
commit b0aa82e7d0
3 changed files with 95 additions and 68 deletions

View File

@ -27,15 +27,46 @@ nixpkgs.lib.nixosSystem {
publicKey = publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
# Backup config # Nextcloud backup config
backupS3 = { backupS3 = {
endpoint = "s3.us-west-002.backblazeb2.com"; endpoint = "s3.us-west-002.backblazeb2.com";
bucket = "noahmasur-backup"; bucket = "noahmasur-backup";
accessKeyId = "0026b0e73b2e2c80000000004"; accessKeyId = "0026b0e73b2e2c80000000004";
}; };
# Grant access to Jellyfin directories from nextcloud # Grant access to Jellyfin directories from Nextcloud
users.users.nextcloud.extraGroups = [ "jellyfin" ]; users.users.nextcloud.extraGroups = [ "jellyfin" ];
# Wireguard config for Transmission
networking.wireguard.interfaces.wg0 = {
# The local IPs for this machine within the Wireguard network
# Any inbound traffic bound for these IPs should be kept on localhost
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
peers = [{
# Identity of Wireguard target peer (VPN)
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
# The public internet address of the target peer
endpoint = "86.106.143.132:51820";
# Which outgoing IP ranges should be sent through Wireguard
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
# Send heartbeat signal within the network
persistentKeepalive = 25;
}];
};
# VPN port forwarding
services.transmission.settings.peer-port = 57599;
# Grant access to Transmission directories from Jellyfin
users.users.jellyfin.extraGroups = [ "transmission" ];
} }
./hardware-configuration.nix ./hardware-configuration.nix
../common.nix ../common.nix

View File

@ -13,7 +13,9 @@ in {
}; };
}; };
config = { config = let
namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
in {
# Setup transmission # Setup transmission
services.transmission = { services.transmission = {
@ -33,11 +35,11 @@ in {
# Bind transmission to wireguard namespace # Bind transmission to wireguard namespace
systemd.services.transmission = { systemd.services.transmission = {
bindsTo = [ "netns@wg.service" ]; bindsTo = [ "netns@${namespace}.service" ];
requires = [ "network-online.target" ]; requires = [ "network-online.target" ];
after = [ "wireguard-wg0.service" ]; after = [ "wireguard-wg0.service" ];
unitConfig.JoinsNamespaceOf = "netns@wg.service"; unitConfig.JoinsNamespaceOf = "netns@${namespace}.service";
serviceConfig.NetworkNamespacePath = "/var/run/netns/wg"; serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}";
}; };
# Create reverse proxy for web UI # Create reverse proxy for web UI
@ -60,8 +62,8 @@ in {
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = '' script = ''
${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up ${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
''; '';
}; };

View File

@ -1,37 +1,25 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }: {
let privateKeyFile = "/private/wireguard/wg0"; options.networking.wireguard = {
in { encryptedPrivateKey = lib.mkOption {
type = lib.types.path;
description = "Nix path to age-encrypted client private key";
default = ../../private/wireguard.age;
};
};
config = {
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
interfaces = { interfaces = {
wg0 = { wg0 = {
# The local IPs for this machine within the Wireguard network
# Any inbound traffic bound for these IPs should be kept on localhost
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
# Establishes identity of this machine # Establishes identity of this machine
generatePrivateKeyFile = false; generatePrivateKeyFile = false;
privateKeyFile = privateKeyFile; privateKeyFile = "/private/wireguard/wg0";
peers = [{
# Identity of Wireguard target peer (VPN)
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
# Which outgoing IP ranges should be sent through Wireguard
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
# The public internet address of the target peer
endpoint = "86.106.143.132:51820";
# Send heartbeat signal within the network
persistentKeepalive = 25;
}];
# Move to network namespace for isolating programs # Move to network namespace for isolating programs
interfaceNamespace = "wg"; interfaceNamespace = "wg";
@ -62,16 +50,22 @@ in {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
script = '' script = let
encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
privateKeyFile =
config.networking.wireguard.interfaces.wg0.privateKeyFile;
in ''
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile} mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
if [ ! -f "${privateKeyFile}" ]; then if [ ! -f "${privateKeyFile}" ]; then
${pkgs.age}/bin/age --decrypt \ ${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} \ --identity ${config.identityFile} \
--output ${privateKeyFile} \ --output ${privateKeyFile} \
${builtins.toString ../../private/wireguard.age} ${builtins.toString encryptedPrivateKey}
chmod 0700 ${privateKeyFile} chmod 0700 ${privateKeyFile}
fi fi
''; '';
}; };
};
} }