ivandimitrov8080/configuration.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wireguard-output module

Browse Source
This commit is contained in:
Ivan Kirilov Dimitrov 2024-08-05 18:40:34 +02:00
parent 7d7c00de4f
commit 3afeaa8934
No known key found for this signature in database
GPG Key ID: 0BDAD4B211C49294
3 changed files with 45 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
hosts/vps/mailserver/default.nix
View File

@ -38,45 +38,6 @@
iptables -X vpn iptables -X vpn
''; '';
}; };
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "venet0";
internalInterfaces = [ "wg0" ];
};
wg-quick.interfaces = {
wg0 = {
address = [ "10.0.0.1/32" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/privatekey";
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
peers = [
{
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
}; };
users = { users = {

2
nixos/configs/default.nix
View File

@ -22,7 +22,7 @@ in
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]); nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
nova-ai = novaConfig (with mods; [ ivand ai ]); nova-ai = novaConfig (with mods; [ ivand ai ]);
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); }; install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx ]); }; vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output ]); };
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); }; stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
}; };
} }

45
nixos/modules/default.nix
View File

@ -314,7 +314,7 @@ top@{ inputs, moduleWithSystem, ... }: {
}; };
}; };
}); });
nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ config, pkgs, ... }: { nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: {
services = { services = {
nginx = nginx =
let let
@ -408,5 +408,48 @@ top@{ inputs, moduleWithSystem, ... }: {
}; };
}; };
}); });
wireguard-output = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: {
networking = {
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "venet0";
internalInterfaces = [ "wg0" ];
};
wg-quick.interfaces = {
wg0 = let iptables = "${pkgs.iptables}/bin/iptables"; ip6tables = "${pkgs.iptables}/bin/ip6tables"; in {
address = [ "10.0.0.1/32" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/privatekey";
postUp = ''
${iptables} -A FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
preDown = ''
${iptables} -D FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
peers = [
{
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
};
});
}; };
} }