refactor wireguard and add port forwarding

hosts/oracle/default.nix

@@ -27,15 +27,46 @@ nixpkgs.lib.nixosSystem {
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
 
-      # Backup config
+      # Nextcloud backup config
       backupS3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
         bucket = "noahmasur-backup";
         accessKeyId = "0026b0e73b2e2c80000000004";
       };
 
-      # Grant access to Jellyfin directories from nextcloud
+      # Grant access to Jellyfin directories from Nextcloud
       users.users.nextcloud.extraGroups = [ "jellyfin" ];
+
+      # Wireguard config for Transmission
+      networking.wireguard.interfaces.wg0 = {
+
+        # The local IPs for this machine within the Wireguard network
+        # Any inbound traffic bound for these IPs should be kept on localhost
+        ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
+
+        peers = [{
+
+          # Identity of Wireguard target peer (VPN)
+          publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
+
+          # The public internet address of the target peer
+          endpoint = "86.106.143.132:51820";
+
+          # Which outgoing IP ranges should be sent through Wireguard
+          allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+
+          # Send heartbeat signal within the network
+          persistentKeepalive = 25;
+
+        }];
+
+      };
+
+      # VPN port forwarding
+      services.transmission.settings.peer-port = 57599;
+
+      # Grant access to Transmission directories from Jellyfin
+      users.users.jellyfin.extraGroups = [ "transmission" ];
     }
     ./hardware-configuration.nix
     ../common.nix

modules/services/transmission.nix

@@ -13,7 +13,9 @@ in {
     };
   };
 
-  config = {
+  config = let
+    namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
+  in {
 
     # Setup transmission
     services.transmission = {
@@ -33,11 +35,11 @@ in {
 
     # Bind transmission to wireguard namespace
     systemd.services.transmission = {
-      bindsTo = [ "netns@wg.service" ];
+      bindsTo = [ "netns@${namespace}.service" ];
       requires = [ "network-online.target" ];
       after = [ "wireguard-wg0.service" ];
-      unitConfig.JoinsNamespaceOf = "netns@wg.service";
+      unitConfig.JoinsNamespaceOf = "netns@${namespace}.service";
-      serviceConfig.NetworkNamespacePath = "/var/run/netns/wg";
+      serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}";
     };
 
     # Create reverse proxy for web UI
@@ -60,8 +62,8 @@ in {
       };
       wantedBy = [ "multi-user.target" ];
       script = ''
-        ${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up
+        ${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up
-        ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
+        ${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
       '';
     };
 

modules/services/wireguard.nix

@@ -1,77 +1,71 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }: {
 
-let privateKeyFile = "/private/wireguard/wg0";
+  options.networking.wireguard = {
 
-in {
+    encryptedPrivateKey = lib.mkOption {
+      type = lib.types.path;
+      description = "Nix path to age-encrypted client private key";
+      default = ../../private/wireguard.age;
+    };
 
-  networking.wireguard = {
+  };
-    enable = true;
-    interfaces = {
-      wg0 = {
 
-        # The local IPs for this machine within the Wireguard network
+  config = {
-        # Any inbound traffic bound for these IPs should be kept on localhost
-        ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
 
-        # Establishes identity of this machine
+    networking.wireguard = {
-        generatePrivateKeyFile = false;
+      enable = true;
-        privateKeyFile = privateKeyFile;
+      interfaces = {
+        wg0 = {
 
-        peers = [{
+          # Establishes identity of this machine
+          generatePrivateKeyFile = false;
+          privateKeyFile = "/private/wireguard/wg0";
 
-          # Identity of Wireguard target peer (VPN)
+          # Move to network namespace for isolating programs
-          publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
+          interfaceNamespace = "wg";
-
-          # Which outgoing IP ranges should be sent through Wireguard
-          allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-
-          # The public internet address of the target peer
-          endpoint = "86.106.143.132:51820";
-
-          # Send heartbeat signal within the network
-          persistentKeepalive = 25;
-
-        }];
-
-        # Move to network namespace for isolating programs
-        interfaceNamespace = "wg";
 
+        };
       };
     };
-  };
 
-  # Create namespace for Wireguard
+    # Create namespace for Wireguard
-  # This allows us to isolate specific programs to Wireguard
+    # This allows us to isolate specific programs to Wireguard
-  systemd.services."netns@" = {
+    systemd.services."netns@" = {
-    description = "%I network namespace";
+      description = "%I network namespace";
-    before = [ "network.target" ];
+      before = [ "network.target" ];
-    serviceConfig = {
+      serviceConfig = {
-      Type = "oneshot";
+        Type = "oneshot";
-      RemainAfterExit = true;
+        RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
+        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
-      ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+      };
     };
-  };
 
-  # Create private key file for wireguard
+    # Create private key file for wireguard
-  systemd.services.wireguard-private-key = {
+    systemd.services.wireguard-private-key = {
-    wantedBy = [ "wireguard-wg0.service" ];
+      wantedBy = [ "wireguard-wg0.service" ];
-    requiredBy = [ "wireguard-wg0.service" ];
+      requiredBy = [ "wireguard-wg0.service" ];
-    before = [ "wireguard-wg0.service" ];
+      before = [ "wireguard-wg0.service" ];
-    serviceConfig = {
+      serviceConfig = {
-      Type = "oneshot";
+        Type = "oneshot";
-      RemainAfterExit = true;
+        RemainAfterExit = true;
+      };
+      script = let
+        encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
+        privateKeyFile =
+          config.networking.wireguard.interfaces.wg0.privateKeyFile;
+      in ''
+        mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
+        if [ ! -f "${privateKeyFile}" ]; then
+          ${pkgs.age}/bin/age --decrypt \
+            --identity ${config.identityFile} \
+            --output ${privateKeyFile} \
+            ${builtins.toString encryptedPrivateKey}
+          chmod 0700 ${privateKeyFile}
+        fi
+      '';
     };
-    script = ''
+
-      mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
-      if [ ! -f "${privateKeyFile}" ]; then
-        ${pkgs.age}/bin/age --decrypt \
-          --identity ${config.identityFile} \
-          --output ${privateKeyFile} \
-          ${builtins.toString ../../private/wireguard.age}
-        chmod 0700 ${privateKeyFile}
-      fi
-    '';
   };
 
 }