burnham: init. defiant: add wireguard

2024-01-25 11:31:05 +01:00
parent 45d2fe1ba1
commit 9f33f70d12
6 changed files with 142 additions and 1 deletions
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -6,12 +6,15 @@
      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
-      ./libvirt.nix

+      # Infrastructure
+      ./libvirt.nix
      ./services/nginx.nix
      ./services/pihole.nix
      ./services/postgresql.nix
+      ./services/wireguard.nix

+      # Services
      ./services/flame.nix
      ./services/gitea.nix
      ./services/hedgedoc.nix
--- a/hosts/defiant/services/wireguard.nix
+++ b/hosts/defiant/services/wireguard.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.networking.wireguard.interfaces."wg0";
+in {
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "enp3s0";
+      internalInterfaces = [ "wg0" ];
+    };
+    firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    wireguard.interfaces."wg0" = {
+      ips = [ "10.100.0.1/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/etc/wireguard/defiant.private";
+
+      peers = [
+        { # Burnham
+          publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
+          allowedIPs = [
+            "10.100.0.2/32"
+            # "192.168.11.0/24"
+          ];
+        }
+        { # Sulu
+          publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
+          allowedIPs = [
+            "10.100.0.3/32"
+          ];
+        }
+      ];
+    };
+  };
+}