From ed5623256cbfa4120bf9a93caec58cfc3b6a9d38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Fri, 24 Feb 2023 12:08:29 +0100 Subject: [PATCH] wireguard: init wireguard service --- modules/profiles/desktop.nix | 1 + modules/services/default.nix | 1 + modules/services/wireguard.nix | 41 +++++++++++++++++++++++++++++ secrets/secrets.nix | 2 ++ secrets/wireguard-preshared-key.age | 16 +++++++++++ secrets/wireguard-private-key.age | 15 +++++++++++ 6 files changed, 76 insertions(+) create mode 100644 modules/services/wireguard.nix create mode 100644 secrets/wireguard-preshared-key.age create mode 100644 secrets/wireguard-private-key.age diff --git a/modules/profiles/desktop.nix b/modules/profiles/desktop.nix index 4a9e5d8..ce5860d 100644 --- a/modules/profiles/desktop.nix +++ b/modules/profiles/desktop.nix @@ -96,6 +96,7 @@ with lib; { openvpn.enable = true; printing.enable = true; redshift.enable = true; + wireguard.enable = true; }; }; diff --git a/modules/services/default.nix b/modules/services/default.nix index 4d2b238..93930bd 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -12,5 +12,6 @@ ./picom.nix ./printing.nix ./redshift.nix + ./wireguard.nix ]; } diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix new file mode 100644 index 0000000..8b0bbfb --- /dev/null +++ b/modules/services/wireguard.nix @@ -0,0 +1,41 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; +let + cfg = config.my.services.wireguard; +in +{ + options.my.services.wireguard.enable = mkEnableOption "wireguard"; + + config = lib.mkIf cfg.enable { + age.secrets = { + wireguard-private-key.file = ../../secrets/wireguard-private-key.age; + wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age; + }; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + networking.wg-quick.interfaces = { + wg0 = { + autostart = false; + address = [ "10.8.0.3/24" ]; + listenPort = 51820; + privateKeyFile = "/run/agenix/wireguard-private-key"; + peers = [ + { + publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08="; + presharedKeyFile = "/run/agenix/wireguard-preshared-key"; + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "wg.moritzboeh.me:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0862e22..c53e760 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,4 +18,6 @@ in "spotifyd.age".publicKeys = all; "ssh-home.age".publicKeys = all; "uni-vpn.age".publicKeys = all; + "wireguard-preshared-key.age".publicKeys = all; + "wireguard-private-key.age".publicKeys = all; } diff --git a/secrets/wireguard-preshared-key.age b/secrets/wireguard-preshared-key.age new file mode 100644 index 0000000..b766d8b --- /dev/null +++ b/secrets/wireguard-preshared-key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-ed25519 CjuqfA HUg3FETh6ezG8DcEaFW/VYrzKoqpGKpWQKk2R+e4zzM +Hnj5vK3gT2+BpGVYfQBPnosUiBgp2shs4g3Va1Z1JzU +-> ssh-ed25519 QRYDmg vc5Qzx8lbFF6BYV/BVNDv7+4tvwdGV8nyUHoVEr1yEA +mp4s4Kg7UcS6HEcaZaFhypPQh6BzeeovpEzxn0Q91Q4 +-> ssh-ed25519 wG6LYg ZDy84tJ1nyrtCdOVlF464rPAmWEQXcP11B30+ccXJ2k +i+efuVas6vT9K55/soO2SOLxo29heQTR12gO5gx5SSI +-> ssh-ed25519 ZYd7Zg jmWJkTLgzrt3nU7KA3xRU37T3EriWngdbCC4GwS/pik +PYtUFRBv8yIuHgDrMJNdrsUsqjjKc/+hmvj1+pY3MpQ +-> ssh-ed25519 as9VYQ qpAgrLdj/1tLgGSH/ixGisVSBAoDB2A/nednmGKqLiM +AD6i7RrNgXcPW6ebr8T1vwsbGDQkWX/zNX7kLZ1bkTI +-> syy03-grease G1Yn Zq| $0 +EmxSuXdlQfAHuTHTAd4nvyFFhfOVswM9F79VwDNuXVkf/SatEO2uhCM4RmInrNhP +a7U1TNxhGd4HuT0k5wqaN2Vr67adR6Hh024vaTxw9OHneQ +--- 7AIOs1wK0DIhK+AVkPDlOZjzFLfhsqZlWXVkLnXNcN8 +!Ȯ^.CJ ]JNĺf0'ajy+ ?;༅w0wE`Sߤ'L#1ET.k= \ No newline at end of file diff --git a/secrets/wireguard-private-key.age b/secrets/wireguard-private-key.age new file mode 100644 index 0000000..7c50bee --- /dev/null +++ b/secrets/wireguard-private-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 CjuqfA EQLHOBOVfp+j3x+coXt1isDkG+LvsSYkU8PT1cg97FQ +NJWJKvmN4hUHsC34n1ap4HlipC0rGWlqrbgR4vm91YY +-> ssh-ed25519 QRYDmg LOvHPzC4zfX2rlQBxYwHoHhjftCyWnBRLXZ/aB1ekQM +lVtsflczWZwhBx4FZeJK6jtcUCvwQKIA5Gmbth2to9U +-> ssh-ed25519 wG6LYg nqcLDqaVL7D0seK7kW52vmG/lm0Nd28lBroYrRMVynI +oYA8E4DDR26gpRCdJMWtzoGvUTErI6GMSdF99kTNKtc +-> ssh-ed25519 ZYd7Zg vz3LZxq0+KTx6E4J0X6duivLP0TFtA8WaOQaiSmMcF4 +5g+3H/6J9FjsWifcfmEq8dz0hk4mpZhhJaEndPE3Mpw +-> ssh-ed25519 as9VYQ VIQ18yC/qEiP66hfCwWAbAbNCBypB47gbWkFg/TJmWE +MXK5RnuwAlKt676CPO0N/3BeM9gsgMPZNEG1DXq8uXA +-> 8kx-grease s%obC ~GOw1 C + +--- V8z981BPe2yVOaMCj2np9Vvvy/6zP8xHCFKRFwsceXs ++Xob_)