From eb32e98e962e9d17d0343e4921e9775dfbbc58af Mon Sep 17 00:00:00 2001 From: Mathias Magnusson Date: Mon, 1 Dec 2025 16:21:50 +0100 Subject: set up wireguard --- router.nix | 47 +++++++++++++++++++++++++++++++++++++++++------ secrets/secrets.nix | 1 + secrets/wg-key.txt | 12 ++++++++++++ 3 files changed, 54 insertions(+), 6 deletions(-) create mode 100644 secrets/wg-key.txt diff --git a/router.nix b/router.nix index 3cc17bc..79c4f7b 100644 --- a/router.nix +++ b/router.nix @@ -10,28 +10,31 @@ allowedUDPPorts = [ 53 67 + 51829 ]; extraForwardRules = '' iifname "ethlan" oifname "wlan-staff" accept iifname "ethlan" oifname "wlan-guest" accept + iifname "ethlan" oifname "wglan" accept iifname "wlan-staff" oifname "ethlan" accept iifname "wlan-staff" oifname "wlan-guest" accept + iifname "wlan-staff" oifname "wglan" accept iifname "wlan-guest" oifname "ethlan" accept iifname "wlan-guest" oifname "wlan-staff" accept + iifname "wlan-guest" oifname "wglan" accept + + iifname "wglan" oifname "ethlan" accept + iifname "wglan" oifname "wlan-staff" accept + iifname "wglan" oifname "wlan-guest" accept ''; }; nat = { enable = true; externalInterface = "wan"; - internalInterfaces = [ "ethlan" "wlan" "docker0" ]; + internalInterfaces = [ "ethlan" "wlan" "docker0" "wglan" ]; forwardPorts = [ - { - sourcePort = 51801; - destination = "10.69.0.3:51801"; - proto = "udp"; - } { sourcePort = 80; destination = "10.69.0.3:80"; @@ -85,6 +88,32 @@ linkConfig.RequiredForOnline = "routable"; }; + netdevs."20-wglan" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wglan"; + }; + wireguardConfig = { + ListenPort = 51829; + PrivateKeyFile = config.age.secrets."wg-key.txt".path; + RouteTable = "main"; + }; + wireguardPeers = [ + { + # sleipner + PublicKey = "FqwkR+gKe/0JfFn3oXyyNDK8qh3LGMQw/t1pvGEHTBk="; + AllowedIPs = [ "10.69.3.2" ]; + } + ]; + }; + networks."20-wglan" = { + matchConfig.Name = "wglan"; + networkConfig = { + Address = "10.69.3.1/24"; + IPv4Forwarding = true; + }; + }; + # netdevs."10-vlan-staff" = { # netdevConfig = { # Kind = "vlan"; @@ -207,4 +236,10 @@ age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age; age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age; age.secrets."hcloud-token.txt".file = ./secrets/hcloud-token.txt.age; + age.secrets."wg-key.txt" = { + file = ./secrets/wg-key.txt; + mode = "640"; + owner = "systemd-network"; + group = "systemd-network"; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index acb5d8d..327112f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,6 +11,7 @@ let "wifi-password-guest.txt.age" "password-hash.txt.age" "hcloud-token.txt.age" + "wg-key.txt" ]; in builtins.listToAttrs ( diff --git a/secrets/wg-key.txt b/secrets/wg-key.txt new file mode 100644 index 0000000..ecbb12c --- /dev/null +++ b/secrets/wg-key.txt @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 rf0kpA UqQfVmwXbDBF/GaAWhswFVOZ6q6+awE86b9u9GYQMWc +vk7L5qY4iLIpLfYrct8yP0Fbv2+Nqy+3eWUO35XtFbQ +-> piv-p256 Ddzw4A A/oi+x9WXR7aqojRb5k45fg9UTideakot+njYl6cDc2W +yBq4t/iz1/3pYLajxwHFrt19q7JofqOrbpa/ubq2B7s +-> piv-p256 9aSbLw AkBLxq00GDe0yyBsOAjMM+zJNjSt69Sg3LE+8yXvILE7 +47WYr7oG28s8JwS01By2CxCn/pwMe3CEL1fSOZqF3Dg +-> ssh-ed25519 YS7/yg lcYISWM20EVlRhWNGTozn3UOflmqq4OMV5U8ZZHpgzE +QAbhpq9FCG2vXG5vyqDyg/ga8DKwoxoXQPVmYzOHb1E +--- E3c7qJOnjWSRFAt7vf2zeanYXyLr7O4eegxNM56EbqA +.g[,#Z!ʦ +,gpYF?G\E[j`(Kk#hh?dS rH \ No newline at end of file -- cgit v1.2.3