From 48a2e3211d19fda4c821325a08b45e7841f85a40 Mon Sep 17 00:00:00 2001 From: Bun Date: Wed, 16 Apr 2025 22:14:31 -0400 Subject: [PATCH] Update Wireguard client also --- hosts/midas/default.nix | 2 +- hosts/midas/firewall/default.nix | 28 ----------- hosts/midas/network/default.nix | 38 +++++++++++++++ hosts/midas/services/default.nix | 2 +- hosts/tower/default.nix | 16 ++----- hosts/tower/firewall/default.nix | 4 -- hosts/tower/network/default.nix | 15 ++++++ modules/system/services/general/default.nix | 1 + .../services/general/wireguard/default.nix | 28 +++++++++++ .../server/wireguard/client/default.nix | 14 ------ .../services/server/wireguard/default.nix | 48 +++++++++++++++---- .../server/wireguard/server/default.nix | 42 ---------------- 12 files changed, 128 insertions(+), 110 deletions(-) delete mode 100644 hosts/midas/firewall/default.nix create mode 100644 hosts/midas/network/default.nix delete mode 100644 hosts/tower/firewall/default.nix create mode 100644 hosts/tower/network/default.nix create mode 100644 modules/system/services/general/wireguard/default.nix delete mode 100644 modules/system/services/server/wireguard/client/default.nix delete mode 100644 modules/system/services/server/wireguard/server/default.nix diff --git a/hosts/midas/default.nix b/hosts/midas/default.nix index fa37a4b3..a397cc72 100644 --- a/hosts/midas/default.nix +++ b/hosts/midas/default.nix @@ -4,8 +4,8 @@ ./boot ./disko ./filesystems - ./firewall ./hardware + ./network ./services ./users ../../modules/system diff --git a/hosts/midas/firewall/default.nix b/hosts/midas/firewall/default.nix deleted file mode 100644 index 5300b24b..00000000 --- a/hosts/midas/firewall/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: -{ - networking.nftables.tables.forwarding = { - family = "inet"; - content = '' - chain incoming { - type nat hook prerouting priority dstnat; policy accept; - tcp dport 2211 dnat ip to 11.0.0.100:22 comment "Tower SSH" - tcp dport 2222 dnat ip to 11.0.0.2:22 comment "Kitty SSH" - tcp dport 2233 dnat ip to 11.0.0.101:22 comment "Envy SSH" - tcp dport 2244 dnat ip to 11.0.0.102:22 comment "Intuos SSH" - - udp dport { 27005, 27015 } dnat ip to 11.0.0.100 comment "PC Hosted Games" - - tcp dport { 48010, 47989, 47984 } dnat ip to 11.0.0.100 comment "PC Sunshine TCP" - udp dport { 47998, 47999, 48000 } dnat ip to 11.0.0.100 comment "PC Sunshine UDP" - } - - chain forward { - type nat hook postrouting priority 100; policy accept; - masquerade - } - ''; - }; - - # Enable IP forwarding for the server configuration - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -} diff --git a/hosts/midas/network/default.nix b/hosts/midas/network/default.nix new file mode 100644 index 00000000..bad705c8 --- /dev/null +++ b/hosts/midas/network/default.nix @@ -0,0 +1,38 @@ +{ ... }: +{ + networking = { + interfaces."eno1".ipv4.addresses = [{ + address = "10.2.0.1"; + prefixLength = 8; + }]; + defaultGateway = { + address = "10.1.0.1"; + interface = "eno1"; + }; + nftables.tables.forwarding = { + family = "inet"; + content = '' + chain incoming { + type nat hook prerouting priority dstnat; policy accept; + tcp dport 2211 dnat ip to 11.0.0.100:22 comment "Tower SSH" + tcp dport 2222 dnat ip to 11.0.0.2:22 comment "Kitty SSH" + tcp dport 2233 dnat ip to 11.0.0.101:22 comment "Envy SSH" + tcp dport 2244 dnat ip to 11.0.0.102:22 comment "Intuos SSH" + + udp dport { 27005, 27015 } dnat ip to 11.0.0.100 comment "PC Hosted Games" + + tcp dport { 48010, 47989, 47984 } dnat ip to 11.0.0.100 comment "PC Sunshine TCP" + udp dport { 47998, 47999, 48000 } dnat ip to 11.0.0.100 comment "PC Sunshine UDP" + } + + chain forward { + type nat hook postrouting priority 100; policy accept; + masquerade + } + ''; + }; + }; + + # Enable IP forwarding for the server configuration + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; +} diff --git a/hosts/midas/services/default.nix b/hosts/midas/services/default.nix index bb5e9572..0ccaab19 100644 --- a/hosts/midas/services/default.nix +++ b/hosts/midas/services/default.nix @@ -17,7 +17,7 @@ trilium-server.enable = true; vaultwarden.enable = true; webserver.enable = true; - wireguard.server.enable = true; + wg.server.enable = true; minecraft-servers = { enable = true; diff --git a/hosts/tower/default.nix b/hosts/tower/default.nix index e0aef159..bf95d667 100644 --- a/hosts/tower/default.nix +++ b/hosts/tower/default.nix @@ -4,23 +4,13 @@ ./boot ./disko ./filesystems - ./firewall ./hardware + ./network ./users ../../modules/system ]; - networking = { - hostName = "tower"; - vlans.internal = { - id=100; - interface="enp42s0"; - }; - interfaces.internal.ipv4.addresses = [{ - address = "11.0.0.100"; - prefixLength = 8; - }]; - }; + networking.hostName = "tower"; system = { desktop.enable = true; @@ -28,5 +18,7 @@ stateVersion = "24.05"; }; + services.wg.client.enable = true; + virtualisation.libvirtd.enable = true; } diff --git a/hosts/tower/firewall/default.nix b/hosts/tower/firewall/default.nix deleted file mode 100644 index 00705bd4..00000000 --- a/hosts/tower/firewall/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: -{ - networking.firewall.allowedUDPPorts = [ 27015 ]; -} diff --git a/hosts/tower/network/default.nix b/hosts/tower/network/default.nix new file mode 100644 index 00000000..623f0f19 --- /dev/null +++ b/hosts/tower/network/default.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + networking.firewall.allowedUDPPorts = [ 27015 ]; + + systemd.network = { + netdevs."10-wg0".wireguardPeers = [ + { # Local server + PublicKey = "qnOT/lXOJMaQgDUdXpyfGZB2IEyUouRje2m/bCe9ux8="; + AllowedIPs = [ "11.0.0.0/8" ]; + Endpoint = "10.2.0.1:51820"; + } + ]; + networks."wg0".address = [ "11.0.0.100/8" ]; + }; +} diff --git a/modules/system/services/general/default.nix b/modules/system/services/general/default.nix index 22685c57..ccf19ea6 100644 --- a/modules/system/services/general/default.nix +++ b/modules/system/services/general/default.nix @@ -12,5 +12,6 @@ ./sunshine ./tlp ./userborn + ./wireguard ]; } diff --git a/modules/system/services/general/wireguard/default.nix b/modules/system/services/general/wireguard/default.nix new file mode 100644 index 00000000..a9d209c8 --- /dev/null +++ b/modules/system/services/general/wireguard/default.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: +{ + options.services.wg.client.enable = lib.mkEnableOption "Enable Wireguard client"; + + config = lib.mkIf config.services.wg.client.enable { + boot.kernelModules = [ "wireguard" ]; + + systemd.network = { + netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = pkgs.writeText "wgclientsecret" config.secrets.wg.clientKey; + ListenPort = 9918; + }; + }; + }; + networks."wg0" = { + matchConfig.Name = "wg0"; + DHCP = "no"; + }; + }; + }; +} diff --git a/modules/system/services/server/wireguard/client/default.nix b/modules/system/services/server/wireguard/client/default.nix deleted file mode 100644 index 2b10cd49..00000000 --- a/modules/system/services/server/wireguard/client/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: -{ - networking.wg-quick.interfaces.wgc = lib.mkIf config.services.wireguard.client.enable { - privateKey = config.secrets.wg.clientKey; - peers = [ - { # Home server - publicKey = "qnOT/lXOJMaQgDUdXpyfGZB2IEyUouRje2m/bCe9ux8="; - allowedIPs = [ "11.0.0.0/8" ]; - endpoint = "sv.nixfox.ca:51820"; - persistentKeepalive = 25; - } - ]; - }; -} diff --git a/modules/system/services/server/wireguard/default.nix b/modules/system/services/server/wireguard/default.nix index 60563b34..9b018b25 100644 --- a/modules/system/services/server/wireguard/default.nix +++ b/modules/system/services/server/wireguard/default.nix @@ -1,12 +1,44 @@ -{ lib, ... }: +{ config, lib, pkgs, ... }: { - imports = [ - ./client - ./server - ]; + options.services.wg.server.enable = lib.mkEnableOption "Enable Wireguard server"; - options.services.wireguard = with lib; { - client.enable = mkEnableOption "Enable Wireguard client"; - server.enable = mkEnableOption "Enable Wireguard server"; + config = lib.mkIf config.services.wg.server.enable { + systemd.network = { + netdevs = { + "50-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = pkgs.writeText "wgserversecret" config.secrets.wg.serverKey; + ListenPort = 51820; + RouteTable = "main"; + }; + wireguardPeers = [ + { # NixOS Config Key + PublicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; + AllowedIPs = [ "11.0.0.0/8" ]; + } + { # Pixel 9 + PublicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4="; + AllowedIPs = [ "11.1.0.1/32" ]; + } + ]; + }; + }; + networks."wg0" = { + matchConfig.Name = "wg0"; + address = [ "11.0.0.1/8" ]; + networkConfig = { + IPMasquerade = "both"; + IPv4Forwarding = true; + IPv6Forwarding = true; + }; + }; + }; + + networking.firewall.allowedUDPPorts = [ 51820 ]; }; } diff --git a/modules/system/services/server/wireguard/server/default.nix b/modules/system/services/server/wireguard/server/default.nix deleted file mode 100644 index 97d5cc81..00000000 --- a/modules/system/services/server/wireguard/server/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - config = lib.mkIf config.services.wireguard.server.enable { - systemd.network = { - netdevs = { - "50-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1300"; - }; - wireguardConfig = { - PrivateKeyFile = pkgs.writeText "wgserversecret" config.secrets.wg.serverKey; - ListenPort = 51820; - RouteTable = "main"; - }; - wireguardPeers = [ - { # NixOS Config Key - PublicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; - AllowedIPs = [ "11.0.0.0/8" ]; - } - { # Pixel 9 - PublicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4="; - AllowedIPs = [ "11.1.0.1/32" ]; - } - ]; - }; - }; - networks.wg0 = { - matchConfig.Name = "wg0"; - address = [ "11.0.0.1/8" ]; - networkConfig = { - IPMasquerade = "both"; - IPv4Forwarding = true; - IPv6Forwarding = true; - }; - }; - }; - - networking.firewall.allowedUDPPorts = [ 51820 ]; - }; -}