From ae66cfd85411ddf15d544471c86ac27f214a4f62 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Sat, 1 Mar 2025 16:45:28 +0000 Subject: [PATCH] Add jupiter wireguard config Signed-off-by: Nikolaos Karaolidis --- hosts/jupiter-vps/README.md | 2 +- .../jupiter-vps/configs/wireguard/default.nix | 83 ++++++++++--------- hosts/jupiter/configs/wireguard/default.nix | 31 +++++++ hosts/jupiter/default.nix | 2 + 4 files changed, 80 insertions(+), 38 deletions(-) create mode 100644 hosts/jupiter/configs/wireguard/default.nix diff --git a/hosts/jupiter-vps/README.md b/hosts/jupiter-vps/README.md index b3ee02b..0e10dac 100644 --- a/hosts/jupiter-vps/README.md +++ b/hosts/jupiter-vps/README.md @@ -2,7 +2,7 @@ ## Installation Instructions -1. Provision an OVHcloud VPS on Ubuntu 22.04 +1. Provision an OVHcloud VPS (ideally running Ubuntu). 2. Add personal public key 3. Add a CNAME entry for `vps.karaolidis.com` pointing to the VPS IP/host 4. Run `hosts/jupiter-vps/install.sh` diff --git a/hosts/jupiter-vps/configs/wireguard/default.nix b/hosts/jupiter-vps/configs/wireguard/default.nix index 940dbba..8980d8d 100644 --- a/hosts/jupiter-vps/configs/wireguard/default.nix +++ b/hosts/jupiter-vps/configs/wireguard/default.nix @@ -4,47 +4,56 @@ pkgs, ... }: +let + jupiterConfig = inputs.self.nixosConfigurations.jupiter.config; + publicInterface = "ens3"; + wireguardPort = 51820; +in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.firewall = { - allowedTCPPorts = - inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedTCPPorts; - - allowedUDPPorts = [ - 51820 - ] ++ inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedUDPPorts; - }; - sops.secrets."wireguard" = { }; - networking.wireguard.interfaces.wg0 = - let - iptables = "${pkgs.iptables}/bin/iptables"; - in - { - ips = [ "10.100.0.1/24" ]; - listenPort = 51820; - privateKeyFile = config.sops.secrets."wireguard".path; - - postSetup = [ - "${iptables} -t nat -A PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" - "${iptables} -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" - "${iptables} -t nat -A POSTROUTING -o wg0 -j MASQUERADE" - ]; - - postShutdown = [ - "${iptables} -t nat -D PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" - "${iptables} -t nat -D PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" - "${iptables} -t nat -D POSTROUTING -o wg0 -j MASQUERADE" - ]; - - peers = [ - { - name = "jupiter"; - allowedIPs = [ "10.100.0.2/32" ]; - publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU="; - } - ]; + networking = { + firewall = { + allowedTCPPorts = jupiterConfig.networking.firewall.allowedTCPPorts; + allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts; }; + + wireguard.interfaces.wg0 = + let + iptables = "${pkgs.iptables}/bin/iptables"; + in + rec { + ips = [ "10.0.0.1/24" ]; + listenPort = wireguardPort; + privateKeyFile = config.sops.secrets."wireguard".path; + + postSetup = [ + "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" + "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN" + "${iptables} -t nat -A PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2" + "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" + "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN" + "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1" + ]; + + postShutdown = [ + "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" + "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN" + "${iptables} -t nat -D PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2" + "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" + "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN" + "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1" + ]; + + peers = [ + { + name = "jupiter"; + allowedIPs = [ "10.0.0.2/32" ]; + publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU="; + } + ]; + }; + }; } diff --git a/hosts/jupiter/configs/wireguard/default.nix b/hosts/jupiter/configs/wireguard/default.nix new file mode 100644 index 0000000..d6a3354 --- /dev/null +++ b/hosts/jupiter/configs/wireguard/default.nix @@ -0,0 +1,31 @@ +{ config, inputs, ... }: +let + jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config; + jupiterVpsPublicIPv4 = "51.75.170.190"; + wireguardPort = jupiterVpsConfig.networking.wireguard.interfaces.wg0.listenPort; +in +{ + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + sops.secrets."wireguard" = { }; + + networking = { + firewall.allowedUDPPorts = [ wireguardPort ]; + + wireguard.interfaces.wg0 = { + ips = [ "10.0.0.2/24" ]; + listenPort = wireguardPort; + privateKeyFile = config.sops.secrets."wireguard".path; + + peers = [ + { + name = "jupiter-vps"; + allowedIPs = [ "10.0.0.1/32" ]; + publicKey = "BCTr2uWYFr5nAy+VxVQ5SIly6w60dOXY91DpXAMiHjI="; + endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}"; + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index 5322fdd..d6b8854 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -26,6 +26,8 @@ ../common/configs/system/users ../common/configs/system/zsh + ./configs/wireguard + ./users/storm ./users/nick ];