rix101/machines/nixos/x86_64-linux/jeeves/wireguard.nix

{ lib, pkgs, config, ... }:
{
  environment.systemPackages = with pkgs; [
    wireguard-tools
  ];

  # NOTE: key generation
  # umask 077
  # wg genkey > private
  # wg pubkey < private > public

  # Server
  age.secrets."wireguard/server.private" = {
    file = ../../../../secrets/home/wireguard/server.private.age;
    mode = "077";
  };
  age.secrets."wireguard/server.public" = {
    file = ../../../../secrets/home/wireguard/server.public.age;
  };

  networking.firewall.allowedUDPPorts = [51820];
  systemd.network = {
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
          MTUBytes = "1300";
        };
        wireguardConfig = {
          PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
          ListenPort = 51820;
        };
        wireguardPeers = [
          {
            # cheetah
            wireguardPeerConfig = {
              PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
              AllowedIPs = [
                "0.0.0.0/0"
                # "::/0"
              ];
            };
          }
        ];
      };
    };
    networks.wg0 = {
      matchConfig.Name = "wg0";
      address = ["10.100.0.1/24"];
      networkConfig = {
        IPMasquerade = "ipv4";
        IPForward = true;
      };
    };
  };
}
feat(jeeves): wireguard Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key 2023-10-23 07:47:06 +02:00			`{ lib, pkgs, config, ... }:`
			`{`
			`environment.systemPackages = with pkgs; [`
			`wireguard-tools`
			`];`

			`# NOTE: key generation`
			`# umask 077`
			`# wg genkey > private`
			`# wg pubkey < private > public`

			`# Server`
			`age.secrets."wireguard/server.private" = {`
			`file = ../../../../secrets/home/wireguard/server.private.age;`
			`mode = "077";`
			`};`
			`age.secrets."wireguard/server.public" = {`
			`file = ../../../../secrets/home/wireguard/server.public.age;`
			`};`

			`networking.firewall.allowedUDPPorts = [51820];`
			`systemd.network = {`
			`netdevs = {`
			`"50-wg0" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "wg0";`
			`MTUBytes = "1300";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = config.age.secrets."wireguard/server.private".path;`
			`ListenPort = 51820;`
			`};`
			`wireguardPeers = [`
			`{`
			`# cheetah`
			`wireguardPeerConfig = {`
fix(jeeves): wireguard peer's `PublicKey` should not be a file 2023-10-23 08:24:31 +02:00			`PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";`
feat(jeeves): wireguard Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key 2023-10-23 07:47:06 +02:00			`AllowedIPs = [`
			`"0.0.0.0/0"`
			`# "::/0"`
			`];`
			`};`
			`}`
			`];`
			`};`
			`};`
			`networks.wg0 = {`
			`matchConfig.Name = "wg0";`
			`address = ["10.100.0.1/24"];`
			`networkConfig = {`
			`IPMasquerade = "ipv4";`
			`IPForward = true;`
			`};`
			`};`
			`};`
			`}`