mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-09 23:22:57 +00:00
refactor wireguard and add port forwarding
This commit is contained in:
parent
7aacfe7887
commit
b0aa82e7d0
@ -27,15 +27,46 @@ nixpkgs.lib.nixosSystem {
|
|||||||
publicKey =
|
publicKey =
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
|
||||||
|
|
||||||
# Backup config
|
# Nextcloud backup config
|
||||||
backupS3 = {
|
backupS3 = {
|
||||||
endpoint = "s3.us-west-002.backblazeb2.com";
|
endpoint = "s3.us-west-002.backblazeb2.com";
|
||||||
bucket = "noahmasur-backup";
|
bucket = "noahmasur-backup";
|
||||||
accessKeyId = "0026b0e73b2e2c80000000004";
|
accessKeyId = "0026b0e73b2e2c80000000004";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Grant access to Jellyfin directories from nextcloud
|
# Grant access to Jellyfin directories from Nextcloud
|
||||||
users.users.nextcloud.extraGroups = [ "jellyfin" ];
|
users.users.nextcloud.extraGroups = [ "jellyfin" ];
|
||||||
|
|
||||||
|
# Wireguard config for Transmission
|
||||||
|
networking.wireguard.interfaces.wg0 = {
|
||||||
|
|
||||||
|
# The local IPs for this machine within the Wireguard network
|
||||||
|
# Any inbound traffic bound for these IPs should be kept on localhost
|
||||||
|
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
||||||
|
|
||||||
|
peers = [{
|
||||||
|
|
||||||
|
# Identity of Wireguard target peer (VPN)
|
||||||
|
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
||||||
|
|
||||||
|
# The public internet address of the target peer
|
||||||
|
endpoint = "86.106.143.132:51820";
|
||||||
|
|
||||||
|
# Which outgoing IP ranges should be sent through Wireguard
|
||||||
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||||
|
|
||||||
|
# Send heartbeat signal within the network
|
||||||
|
persistentKeepalive = 25;
|
||||||
|
|
||||||
|
}];
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
# VPN port forwarding
|
||||||
|
services.transmission.settings.peer-port = 57599;
|
||||||
|
|
||||||
|
# Grant access to Transmission directories from Jellyfin
|
||||||
|
users.users.jellyfin.extraGroups = [ "transmission" ];
|
||||||
}
|
}
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../common.nix
|
../common.nix
|
||||||
|
@ -13,7 +13,9 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = let
|
||||||
|
namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
|
||||||
|
in {
|
||||||
|
|
||||||
# Setup transmission
|
# Setup transmission
|
||||||
services.transmission = {
|
services.transmission = {
|
||||||
@ -33,11 +35,11 @@ in {
|
|||||||
|
|
||||||
# Bind transmission to wireguard namespace
|
# Bind transmission to wireguard namespace
|
||||||
systemd.services.transmission = {
|
systemd.services.transmission = {
|
||||||
bindsTo = [ "netns@wg.service" ];
|
bindsTo = [ "netns@${namespace}.service" ];
|
||||||
requires = [ "network-online.target" ];
|
requires = [ "network-online.target" ];
|
||||||
after = [ "wireguard-wg0.service" ];
|
after = [ "wireguard-wg0.service" ];
|
||||||
unitConfig.JoinsNamespaceOf = "netns@wg.service";
|
unitConfig.JoinsNamespaceOf = "netns@${namespace}.service";
|
||||||
serviceConfig.NetworkNamespacePath = "/var/run/netns/wg";
|
serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Create reverse proxy for web UI
|
# Create reverse proxy for web UI
|
||||||
@ -60,8 +62,8 @@ in {
|
|||||||
};
|
};
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
script = ''
|
script = ''
|
||||||
${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up
|
${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up
|
||||||
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
|
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:10.66.13.200:9091"',nofork
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,77 +1,71 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
let privateKeyFile = "/private/wireguard/wg0";
|
options.networking.wireguard = {
|
||||||
|
|
||||||
in {
|
encryptedPrivateKey = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "Nix path to age-encrypted client private key";
|
||||||
|
default = ../../private/wireguard.age;
|
||||||
|
};
|
||||||
|
|
||||||
networking.wireguard = {
|
};
|
||||||
enable = true;
|
|
||||||
interfaces = {
|
|
||||||
wg0 = {
|
|
||||||
|
|
||||||
# The local IPs for this machine within the Wireguard network
|
config = {
|
||||||
# Any inbound traffic bound for these IPs should be kept on localhost
|
|
||||||
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
|
||||||
|
|
||||||
# Establishes identity of this machine
|
networking.wireguard = {
|
||||||
generatePrivateKeyFile = false;
|
enable = true;
|
||||||
privateKeyFile = privateKeyFile;
|
interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
|
||||||
peers = [{
|
# Establishes identity of this machine
|
||||||
|
generatePrivateKeyFile = false;
|
||||||
|
privateKeyFile = "/private/wireguard/wg0";
|
||||||
|
|
||||||
# Identity of Wireguard target peer (VPN)
|
# Move to network namespace for isolating programs
|
||||||
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
interfaceNamespace = "wg";
|
||||||
|
|
||||||
# Which outgoing IP ranges should be sent through Wireguard
|
|
||||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
|
||||||
|
|
||||||
# The public internet address of the target peer
|
|
||||||
endpoint = "86.106.143.132:51820";
|
|
||||||
|
|
||||||
# Send heartbeat signal within the network
|
|
||||||
persistentKeepalive = 25;
|
|
||||||
|
|
||||||
}];
|
|
||||||
|
|
||||||
# Move to network namespace for isolating programs
|
|
||||||
interfaceNamespace = "wg";
|
|
||||||
|
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# Create namespace for Wireguard
|
# Create namespace for Wireguard
|
||||||
# This allows us to isolate specific programs to Wireguard
|
# This allows us to isolate specific programs to Wireguard
|
||||||
systemd.services."netns@" = {
|
systemd.services."netns@" = {
|
||||||
description = "%I network namespace";
|
description = "%I network namespace";
|
||||||
before = [ "network.target" ];
|
before = [ "network.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
||||||
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# Create private key file for wireguard
|
# Create private key file for wireguard
|
||||||
systemd.services.wireguard-private-key = {
|
systemd.services.wireguard-private-key = {
|
||||||
wantedBy = [ "wireguard-wg0.service" ];
|
wantedBy = [ "wireguard-wg0.service" ];
|
||||||
requiredBy = [ "wireguard-wg0.service" ];
|
requiredBy = [ "wireguard-wg0.service" ];
|
||||||
before = [ "wireguard-wg0.service" ];
|
before = [ "wireguard-wg0.service" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
script = let
|
||||||
|
encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
|
||||||
|
privateKeyFile =
|
||||||
|
config.networking.wireguard.interfaces.wg0.privateKeyFile;
|
||||||
|
in ''
|
||||||
|
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
||||||
|
if [ ! -f "${privateKeyFile}" ]; then
|
||||||
|
${pkgs.age}/bin/age --decrypt \
|
||||||
|
--identity ${config.identityFile} \
|
||||||
|
--output ${privateKeyFile} \
|
||||||
|
${builtins.toString encryptedPrivateKey}
|
||||||
|
chmod 0700 ${privateKeyFile}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
script = ''
|
|
||||||
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
|
||||||
if [ ! -f "${privateKeyFile}" ]; then
|
|
||||||
${pkgs.age}/bin/age --decrypt \
|
|
||||||
--identity ${config.identityFile} \
|
|
||||||
--output ${privateKeyFile} \
|
|
||||||
${builtins.toString ../../private/wireguard.age}
|
|
||||||
chmod 0700 ${privateKeyFile}
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user