39 lines
1.1 KiB
Nix
39 lines
1.1 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.networking.wireguard.interfaces."wg0";
|
|
in {
|
|
networking = {
|
|
nat = {
|
|
enable = true;
|
|
externalInterface = "enp3s0";
|
|
internalInterfaces = [ "wg0" ];
|
|
};
|
|
firewall.allowedUDPPorts = [ cfg.listenPort ];
|
|
|
|
wireguard.interfaces."wg0" = {
|
|
ips = [ "10.100.0.1/24" ];
|
|
listenPort = 51820;
|
|
privateKeyFile = "/etc/wireguard/defiant.private";
|
|
|
|
postSetup = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
|
|
'';
|
|
postShutdown = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
|
|
'';
|
|
|
|
peers = [
|
|
{ # Burnham
|
|
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
|
|
persistentKeepalive = 60;
|
|
allowedIPs = [
|
|
"10.100.0.2/32"
|
|
"192.168.11.0/24"
|
|
];
|
|
#endpoint = "site2.feal.no:51902";
|
|
}
|
|
] ++ (import ../../../common/wireguard-peers.nix);
|
|
};
|
|
};
|
|
}
|