Avery/NixOS
Avery/NixOS
1
0
Fork 0
Code Activity
NixOS/hosts/greatyamada/services/wireguard.nix

36 lines
1.1 KiB
Nix
Raw Blame History

{ pkgs, ... }:
let ports = import ./_port-definitions.nix;
in {
networking = {
nat = {
enable = true;
externalInterface = "enp5s0";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = with ports.udp; [ wireguard ];
wireguard = {
enable = true;
interfaces.wg0 = {
ips = [ "10.10.0.1/24" ];
listenPort = ports.udp.wireguard;
peers = [{
allowedIPs = [ "10.10.0.2/32" ];
name = "Pixel9a";
publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY=";
presharedKeyFile = "/run/secrets/wireguard/preshared_keys/note9";
}];
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE
'';
privateKeyFile = "/run/secrets/wireguard/private_key";
};
};
};
sops.secrets = {
"wireguard/private_key" = { owner = "root"; };
"wireguard/preshared_keys/note9" = { owner = "root"; };
};
}
View git blame Copy permalink