diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 4514fd4..7edcda0 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -5,6 +5,9 @@ caddy: ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: rpc_secret: ENC[AES256_GCM,data:xuophXVfHY3Xw+RyDPnZ5LCQXB+cHyRCWvT2l5MiyXGAlP6GSJpewDqJ5xvLclHfHNJP9YKJ3scJV/iX5FE+rw==,iv:wtlrpUUkXa2WYvQS/vfJJBS34V5CIAYQ8oCf/SjHp5k=,tag:r16InXGTKIBPOHjMSYlEog==,type:str] +wireguard: + private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str] + public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +32,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-27T14:21:34Z" - mac: ENC[AES256_GCM,data:OkF7A/94sqkmHNcBq9uA+tJCJhFiaoZvQRfR1rtLlgmCsusbeF/rSekQaP2WE4K29aGD6mYZxcnvcCewYiEEXA6S6rpwuCOje+ti5dfg8BFaxivWxtRKQjS3az+z/AkLfE7EYBbMwsZX2T52zZaXW6d49u68++Lg8Y+vC/aRGHw=,iv:MoFQEc3C6DIlwM7r16lr9KqA1TZ2Pmk0s+mlSC5+PW8=,tag:RMsodI9Nzt8t2fYXPDTibQ==,type:str] + lastmodified: "2024-09-30T11:01:11Z" + mac: ENC[AES256_GCM,data:DRo6UcDQ8nJgUome5VLy5DVlRWB2tAFSATK1JUwwdtB2vZ8V+2FK5yGDE701vaxkJukO/lKnC0TzP3/hwprMzSOgTaOfaAFyPDDSTUS7Z6moc31J1RtbOFFoStPD1LnQyfsd0XGdhSEekLKgT3djMH++jo1KBjzcIz6OYsdDRDw=,iv:b5Nlt8SC3MLAdTzhNs44IImtUlgJRGhvB72rd8ovpWk=,tag:FGkkeT78OAWl/KqYplEsTA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/default.nix b/services/default.nix index 066f456..6c3c5d6 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,5 +2,6 @@ imports = [ ./uptime-kuma ./garage + ./wireguard ]; } diff --git a/services/wireguard/default.nix b/services/wireguard/default.nix new file mode 100644 index 0000000..1fc31bd --- /dev/null +++ b/services/wireguard/default.nix @@ -0,0 +1,52 @@ +{pkgs, ...}: { + sops.secrets."wireguard/private_key".owner = "root"; + + networking.nat.enable = true; + networking.nat.externalInterface = "ens3"; + networking.nat.internalInterfaces = ["wg0"]; + networking.firewall = { + allowedUDPPorts = [993]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = ["10.8.0.1/24"]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 993; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/secrets/wireguard/private_key"; + + peers = [ + { + # Pixel + publicKey = "xMO5xTvBXtikri0WS9wpzGvSWITjkQV5oUOYwFjqB0g="; + allowedIPs = ["10.8.0.69/32"]; + } + { + # Zephyrus + publicKey = "TwXHVANaKZsvP/hfjkQXkLwCtFuDeDmQ2Q7jlaxl5SU="; + allowedIPs = ["10.8.0.42/32"]; + } + ]; + }; + }; +}