dotfiles/hosts/groceries/services/wireguard.nix
eriedaberrie c2380dad7b Initial commit
Note: not the actual initial commit.

I swear I will stop repeatedly force pushing to this single commit eventually
ok.
2024-09-21 00:45:42 -07:00

75 lines
2.2 KiB
Nix

{ pkgs, config, ... }:
let
interface = "wg0";
listenPort = 51821;
tcpPort = 82;
in {
systemd.services."udp2raw-${interface}" = {
after = [ "network.target" ];
before = [ "wg-quick-${interface}.service" ];
wantedBy = [ "wg-quick-${interface}.service" ];
serviceConfig = {
ExecStart = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:${builtins.toString tcpPort} -r 127.0.0.1:${builtins.toString listenPort} -a";
};
};
services.dnsmasq = {
enable = true;
settings = {
inherit interface;
};
};
networking = {
nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ interface ];
enableIPv6 = true;
};
firewall = {
allowedUDPPorts = [ listenPort ];
allowedTCPPorts = [ tcpPort ];
interfaces.${interface} = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
wg-quick.interfaces = {
${interface} = {
address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
inherit listenPort;
privateKeyFile = config.age.secrets.wg-groceries.path;
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
peers = [
{
publicKey = "mX5cMCXQbnovPOHDFdcV3egG3u9Xd3sci+mqUhFSz1Q=";
allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
}
{
publicKey = "Hkk76wQQ3dYY31GYUSHMIOBgiKDPqm00cKBLMzwTO1s=";
allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
}
];
};
};
};
}