services: Add wireguard service

2023-04-23 23:42:25 +01:00 · 2023-04-23 23:42:25 +01:00 · 4b822d94b0
commit 4b822d94b0
parent 9e7537acf8
4 changed files with 107 additions and 20 deletions
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@ -0,0 +1,71 @@
+{config, ...}: {
+  # iptables needs to permit forwarding from wg0 to wg0
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
+  '';
+
+  systemd.network = {
+    netdevs = {
+      "20-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+          Description = "wg0 - wireguard tunnel";
+        };
+
+        wireguardConfig = {
+          ListenPort = 51820;
+          PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
+          # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
+        };
+
+        wireguardPeers = [
+          {
+            # yui
+            wireguardPeerConfig = {
+              AllowedIPs = ["10.45.249.2/32"];
+              PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
+            };
+          }
+
+          {
+            # yuanyuan
+            wireguardPeerConfig = {
+              AllowedIPs = ["10.45.249.10/32"];
+              PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
+            };
+          }
+        ];
+      };
+    };
+
+    networks = {
+      "20-wg0" = {
+        matchConfig.Name = "wg0";
+
+        networkConfig = {
+          Address = [
+            "10.45.249.1/32"
+            # TODO(tlater): Add IPv6 whenever that becomes relevant
+          ];
+
+          IPForward = "yes";
+          IPv4ProxyARP = "yes";
+        };
+
+        routes = [
+          {
+            routeConfig = {
+              Source = "10.45.249.0/24";
+              Destination = "10.45.249.0/24";
+              Gateway = "10.45.249.1";
+              GatewayOnLink = "no";
+            };
+          }
+        ];
+
+        linkConfig.RequiredForOnline = "no";
+      };
+    };
+  };
+}
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -1,22 +1,34 @@
 {
  sops = {
    defaultSopsFile = ../keys/production.yaml;
-    secrets."nextcloud/tlater" = {
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
-    secrets."steam/tlater" = {};
-    secrets."heisenbridge/as-token" = {};
-    secrets."heisenbridge/hs-token" = {};
-    secrets."turn/env" = {};
-    secrets."turn/secret" = {
-      owner = "turnserver";
-    };
-    secrets."turn/ssl-key" = {
-      owner = "turnserver";
-    };
-    secrets."turn/ssl-cert" = {
-      owner = "turnserver";
+
+    secrets = {
+      "nextcloud/tlater" = {
+        owner = "nextcloud";
+        group = "nextcloud";
+      };
+
+      "steam/tlater" = {};
+
+      "heisenbridge/as-token" = {};
+      "heisenbridge/hs-token" = {};
+
+      "wireguard/server-key" = {
+        owner = "root";
+        group = "systemd-network";
+        mode = "0440";
+      };
+
+      "turn/env" = {};
+      "turn/secret" = {
+        owner = "turnserver";
+      };
+      "turn/ssl-key" = {
+        owner = "turnserver";
+      };
+      "turn/ssl-cert" = {
+        owner = "turnserver";
+      };
    };
  };
 }