nixos/uk: Add WireGuard VPN for access
All checks were successful
CI / Check, build and cache nixfiles (push) Successful in 1h15m33s
All checks were successful
CI / Check, build and cache nixfiles (push) Successful in 1h15m33s
This commit is contained in:
parent
cff229f487
commit
72b8bd089c
@ -337,6 +337,15 @@ rec {
|
|||||||
britnet = {
|
britnet = {
|
||||||
domain = "bhx1.int.${pubDomain}";
|
domain = "bhx1.int.${pubDomain}";
|
||||||
pubV4 = "77.74.199.67";
|
pubV4 = "77.74.199.67";
|
||||||
|
vpn = {
|
||||||
|
port = 51820;
|
||||||
|
};
|
||||||
|
prefixes = with lib.my.net.cidr; rec {
|
||||||
|
vpn = {
|
||||||
|
v4 = "10.200.0.0/24";
|
||||||
|
v6 = "fdfb:5ebf:6e84::/64";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
tailscale = {
|
tailscale = {
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
let
|
let
|
||||||
inherit (lib.my) net;
|
inherit (lib.my) net;
|
||||||
inherit (lib.my.c) pubDomain;
|
inherit (lib.my.c) pubDomain;
|
||||||
inherit (lib.my.c.britnet) domain pubV4;
|
inherit (lib.my.c.britnet) domain pubV4 prefixes;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
nixos.systems.britnet = {
|
nixos.systems.britnet = {
|
||||||
@ -22,6 +22,13 @@ in
|
|||||||
gateway = "2a12:ab46:5344::1";
|
gateway = "2a12:ab46:5344::1";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
vpn = {
|
||||||
|
ipv4 = {
|
||||||
|
address = net.cidr.host 1 prefixes.vpn.v4;
|
||||||
|
gateway = null;
|
||||||
|
};
|
||||||
|
ipv6.address = net.cidr.host 1 prefixes.vpn.v6;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
|
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
|
||||||
@ -65,6 +72,12 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
systemPackages = with pkgs; [
|
||||||
|
wireguard-tools
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
iperf3 = {
|
iperf3 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -89,6 +102,28 @@ in
|
|||||||
networking = { inherit domain; };
|
networking = { inherit domain; };
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
|
netdevs = {
|
||||||
|
"30-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg0";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = config.age.secrets."britnet/wg.key".path;
|
||||||
|
ListenPort = lib.my.c.britnet.vpn.port;
|
||||||
|
};
|
||||||
|
wireguardPeers = [
|
||||||
|
{
|
||||||
|
PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE=";
|
||||||
|
AllowedIPs = [
|
||||||
|
(net.cidr.host 10 prefixes.vpn.v4)
|
||||||
|
(net.cidr.host 10 prefixes.vpn.v6)
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
links = {
|
links = {
|
||||||
"10-veth0" = {
|
"10-veth0" = {
|
||||||
matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
|
matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
|
||||||
@ -110,6 +145,12 @@ in
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
"30-wg0" = mkMerge [
|
||||||
|
(networkdAssignment "wg0" assignments.vpn)
|
||||||
|
{
|
||||||
|
networkConfig.IPv6AcceptRA = mkForce false;
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -119,16 +160,25 @@ in
|
|||||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
|
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
|
||||||
files = {
|
files = {
|
||||||
"tailscale-auth.key" = {};
|
"tailscale-auth.key" = {};
|
||||||
|
"britnet/wg.key" = {
|
||||||
|
owner = "systemd-network";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
firewall = {
|
firewall = {
|
||||||
|
udp.allowed = [ lib.my.c.britnet.vpn.port ];
|
||||||
trustedInterfaces = [ "tailscale0" ];
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
extraRules = ''
|
extraRules = ''
|
||||||
|
table inet filter {
|
||||||
|
chain forward {
|
||||||
|
iifname wg0 oifname veth0 accept
|
||||||
|
}
|
||||||
|
}
|
||||||
table inet nat {
|
table inet nat {
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
iifname tailscale0 oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
|
iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
|
||||||
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
|
iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|||||||
13
secrets/britnet/wg.key.age
Normal file
13
secrets/britnet/wg.key.age
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBVVkI0
|
||||||
|
dE5YN1pJWExzLzltcmhna2tJUmdRNjZ1Y1hwbzdtRE0wa2hReTNBCk4ydmNFK0FF
|
||||||
|
b0RUdVl3a3d4amhKSEVhZWZPeHZDenBiTXpkVVFiNXFXNGsKLT4gWDI1NTE5IG9i
|
||||||
|
K0ZrNEc5SVlyWU1EbXdlbWppRG1DdjFRbTBCREY2OUxrMmVqNHhSazQKVnRaVmVn
|
||||||
|
MFBRL1dWeFNOaEwyU2szb1lOVzF1enQwdmVZZWRJcHd5MHdFbwotPiB2Wy1gUV8/
|
||||||
|
LWdyZWFzZSBdSDFebHsgKkBkVzl+KnggJTEKdlhrdzVpMHYxUUliQnhaYXNaVWNR
|
||||||
|
S3NxbjhFMEFGamZkRU1RNURhcmwzOGxFbGxXelhOdDBWTHBSY1hBcGFtUwpkampi
|
||||||
|
WnhzMDcxTk1seWZ6VURZb1l1QU1GdwotLS0gRFNpcXpDUFZLTXFJN3Z0bEJQd280
|
||||||
|
WGROWUVvdSt3ZUdBbmRNcGFhRE9BWQoDDlPEY/t2eapa4Xbv8FcW6gdLzQn7Y2cH
|
||||||
|
5UwD+0CTF3JdUpxWUIx9RWFleHekkt8j1+2/oO+m7+24yCg5mdqTJ3ZIwu9uk1eI
|
||||||
|
0As8IA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
Loading…
Reference in New Issue
Block a user