wireguard-output module
This commit is contained in:
parent
7d7c00de4f
commit
3afeaa8934
@ -38,45 +38,6 @@
|
|||||||
iptables -X vpn
|
iptables -X vpn
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
nat = {
|
|
||||||
enable = true;
|
|
||||||
enableIPv6 = true;
|
|
||||||
externalInterface = "venet0";
|
|
||||||
internalInterfaces = [ "wg0" ];
|
|
||||||
};
|
|
||||||
wg-quick.interfaces = {
|
|
||||||
wg0 = {
|
|
||||||
address = [ "10.0.0.1/32" ];
|
|
||||||
listenPort = 51820;
|
|
||||||
privateKeyFile = "/etc/wireguard/privatekey";
|
|
||||||
postUp = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
|
||||||
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
|
|
||||||
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
preDown = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
|
||||||
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
|
|
||||||
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
|
||||||
allowedIPs = [ "10.0.0.2/32" ];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
|
||||||
allowedIPs = [ "10.0.0.3/32" ];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
|
||||||
allowedIPs = [ "10.0.0.4/32" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
|
@ -22,7 +22,7 @@ in
|
|||||||
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
||||||
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
||||||
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
|
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
|
||||||
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx ]); };
|
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output ]); };
|
||||||
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
|
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -314,7 +314,7 @@ top@{ inputs, moduleWithSystem, ... }: {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ config, pkgs, ... }: {
|
nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: {
|
||||||
services = {
|
services = {
|
||||||
nginx =
|
nginx =
|
||||||
let
|
let
|
||||||
@ -408,5 +408,48 @@ top@{ inputs, moduleWithSystem, ... }: {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
wireguard-output = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: {
|
||||||
|
networking = {
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
enableIPv6 = true;
|
||||||
|
externalInterface = "venet0";
|
||||||
|
internalInterfaces = [ "wg0" ];
|
||||||
|
};
|
||||||
|
wg-quick.interfaces = {
|
||||||
|
wg0 = let iptables = "${pkgs.iptables}/bin/iptables"; ip6tables = "${pkgs.iptables}/bin/ip6tables"; in {
|
||||||
|
address = [ "10.0.0.1/32" ];
|
||||||
|
listenPort = 51820;
|
||||||
|
privateKeyFile = "/etc/wireguard/privatekey";
|
||||||
|
postUp = ''
|
||||||
|
${iptables} -A FORWARD -i wg0 -j ACCEPT
|
||||||
|
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
||||||
|
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
|
||||||
|
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
preDown = ''
|
||||||
|
${iptables} -D FORWARD -i wg0 -j ACCEPT
|
||||||
|
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
||||||
|
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
|
||||||
|
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
||||||
|
allowedIPs = [ "10.0.0.2/32" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
||||||
|
allowedIPs = [ "10.0.0.3/32" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
||||||
|
allowedIPs = [ "10.0.0.4/32" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user