Add WireGuard
This commit is contained in:
Andrew Kvalheim
parent
774227085b
commit
d063762a6f
4 changed files with 38 additions and 0 deletions
|
|
@ -50,6 +50,13 @@ ln -rs "$HOME/src/configuration/common/packages.nix" "$HOME/.config/nixpkgs/over
|
|||
Host-specific secrets:
|
||||
|
||||
```bash
|
||||
# U2F
|
||||
pamu2fcfg > "$HOME/src/configuration/hosts/$HOST/local/resources/andrew.u2f" # Keychain
|
||||
pamu2fcfg -n >> "$HOME/src/configuration/hosts/$HOST/local/resources/andrew.u2f" # Backup
|
||||
|
||||
# Wireguard
|
||||
sudo mkdir '/var/lib/wireguard'
|
||||
gopass show --password "wireguard/$HOST" | sudo tee '/var/lib/wireguard/wg0.key' >/dev/null
|
||||
sudo chown root:systemd-network '/var/lib/wireguard/wg0.key'
|
||||
sudo chmod 640 '/var/lib/wireguard/wg0.key'
|
||||
```
|
||||
|
|
|
|||
|
|
@ -109,6 +109,7 @@ in
|
|||
virt-manager
|
||||
visidata
|
||||
whois
|
||||
wireguard-tools
|
||||
xorg.xev
|
||||
yq
|
||||
];
|
||||
|
|
|
|||
|
|
@ -24,6 +24,17 @@ in
|
|||
name = lib.mkOption { type = lib.types.str; };
|
||||
local = lib.mkOption { type = lib.types.path; };
|
||||
resources = lib.mkOption { type = lib.types.path; };
|
||||
wireguard = {
|
||||
ip = lib.mkOption { type = lib.types.str; };
|
||||
port = lib.mkOption { type = lib.types.int; };
|
||||
peers = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule { options = {
|
||||
ip = lib.mkOption { type = lib.types.str; };
|
||||
key = lib.mkOption { type = lib.types.str; };
|
||||
endpoint = lib.mkOption { type = lib.types.str; };
|
||||
}; });
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
|
@ -76,6 +87,24 @@ in
|
|||
networking.hostName = host.name;
|
||||
networking.domain = "home.arpa";
|
||||
networking.search = [ "home.arpa" ];
|
||||
networking.extraHosts = lib.concatStringsSep "\n"
|
||||
(lib.mapAttrsToList (hostname: peer: "${peer.ip} ${hostname}") host.wireguard.peers);
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs."90-wg0" = {
|
||||
netdevConfig = { Name = "wg0"; Kind = "wireguard"; };
|
||||
wireguardConfig.PrivateKeyFile = "/var/lib/wireguard/wg0.key";
|
||||
wireguardPeers = lib.mapAttrsToList (_: peer: {
|
||||
wireguardPeerConfig = {
|
||||
AllowedIPs = [ "${peer.ip}/32" ];
|
||||
Endpoint = peer.endpoint;
|
||||
PublicKey = peer.key;
|
||||
};
|
||||
}) host.wireguard.peers;
|
||||
};
|
||||
networks."90-wg0" = { name = "wg0"; address = [ "${host.wireguard.ip}/24" ]; };
|
||||
};
|
||||
|
||||
# Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
|
||||
# Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
|
||||
system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";
|
||||
|
|
|
|||
|
|
@ -769,6 +769,7 @@ whitespace
|
|||
Whois
|
||||
windsports
|
||||
WIP
|
||||
WireGuard
|
||||
Wireshark
|
||||
WMS
|
||||
wordmark
|
||||
|
|
|
|||
Loading…
Reference in a new issue