Add jupiter wireguard config
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
		| @@ -2,7 +2,7 @@ | ||||
|  | ||||
| ## Installation Instructions | ||||
|  | ||||
| 1. Provision an OVHcloud VPS on Ubuntu 22.04 | ||||
| 1. Provision an OVHcloud VPS (ideally running Ubuntu). | ||||
| 2. Add personal public key | ||||
| 3. Add a CNAME entry for `vps.karaolidis.com` pointing to the VPS IP/host | ||||
| 4. Run `hosts/jupiter-vps/install.sh` | ||||
|   | ||||
| @@ -4,47 +4,56 @@ | ||||
|   pkgs, | ||||
|   ... | ||||
| }: | ||||
| let | ||||
|   jupiterConfig = inputs.self.nixosConfigurations.jupiter.config; | ||||
|   publicInterface = "ens3"; | ||||
|   wireguardPort = 51820; | ||||
| in | ||||
| { | ||||
|   boot.kernel.sysctl."net.ipv4.ip_forward" = 1; | ||||
|  | ||||
|   networking.firewall = { | ||||
|     allowedTCPPorts = | ||||
|       inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedTCPPorts; | ||||
|  | ||||
|     allowedUDPPorts = [ | ||||
|       51820 | ||||
|     ] ++ inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedUDPPorts; | ||||
|   }; | ||||
|  | ||||
|   sops.secrets."wireguard" = { }; | ||||
|  | ||||
|   networking.wireguard.interfaces.wg0 = | ||||
|   networking = { | ||||
|     firewall = { | ||||
|       allowedTCPPorts = jupiterConfig.networking.firewall.allowedTCPPorts; | ||||
|       allowedUDPPorts = [ wireguardPort ] ++ jupiterConfig.networking.firewall.allowedUDPPorts; | ||||
|     }; | ||||
|  | ||||
|     wireguard.interfaces.wg0 = | ||||
|       let | ||||
|         iptables = "${pkgs.iptables}/bin/iptables"; | ||||
|       in | ||||
|     { | ||||
|       ips = [ "10.100.0.1/24" ]; | ||||
|       listenPort = 51820; | ||||
|       rec { | ||||
|         ips = [ "10.0.0.1/24" ]; | ||||
|         listenPort = wireguardPort; | ||||
|         privateKeyFile = config.sops.secrets."wireguard".path; | ||||
|  | ||||
|         postSetup = [ | ||||
|         "${iptables} -t nat -A PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" | ||||
|         "${iptables} -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" | ||||
|         "${iptables} -t nat -A POSTROUTING -o wg0 -j MASQUERADE" | ||||
|           "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" | ||||
|           "${iptables} -t nat -A PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN" | ||||
|           "${iptables} -t nat -A PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2" | ||||
|           "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" | ||||
|           "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN" | ||||
|           "${iptables} -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1" | ||||
|         ]; | ||||
|  | ||||
|         postShutdown = [ | ||||
|         "${iptables} -t nat -D PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" | ||||
|         "${iptables} -t nat -D PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" | ||||
|         "${iptables} -t nat -D POSTROUTING -o wg0 -j MASQUERADE" | ||||
|           "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" | ||||
|           "${iptables} -t nat -D PREROUTING -i ${publicInterface} -p udp --dport ${builtins.toString listenPort} -j RETURN" | ||||
|           "${iptables} -t nat -D PREROUTING -i ${publicInterface} -j DNAT --to-destination 10.0.0.2" | ||||
|           "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p tcp --dport ${builtins.toString (builtins.elemAt config.services.openssh.ports 0)} -j RETURN" | ||||
|           "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -p udp --dport ${builtins.toString listenPort} -j RETURN" | ||||
|           "${iptables} -t nat -D POSTROUTING -d 10.0.0.2 -j SNAT --to-source 10.0.0.1" | ||||
|         ]; | ||||
|  | ||||
|         peers = [ | ||||
|           { | ||||
|             name = "jupiter"; | ||||
|           allowedIPs = [ "10.100.0.2/32" ]; | ||||
|             allowedIPs = [ "10.0.0.2/32" ]; | ||||
|             publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU="; | ||||
|           } | ||||
|         ]; | ||||
|       }; | ||||
|   }; | ||||
| } | ||||
|   | ||||
							
								
								
									
										31
									
								
								hosts/jupiter/configs/wireguard/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								hosts/jupiter/configs/wireguard/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | ||||
| { config, inputs, ... }: | ||||
| let | ||||
|   jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config; | ||||
|   jupiterVpsPublicIPv4 = "51.75.170.190"; | ||||
|   wireguardPort = jupiterVpsConfig.networking.wireguard.interfaces.wg0.listenPort; | ||||
| in | ||||
| { | ||||
|   boot.kernel.sysctl."net.ipv4.ip_forward" = 1; | ||||
|  | ||||
|   sops.secrets."wireguard" = { }; | ||||
|  | ||||
|   networking = { | ||||
|     firewall.allowedUDPPorts = [ wireguardPort ]; | ||||
|  | ||||
|     wireguard.interfaces.wg0 = { | ||||
|       ips = [ "10.0.0.2/24" ]; | ||||
|       listenPort = wireguardPort; | ||||
|       privateKeyFile = config.sops.secrets."wireguard".path; | ||||
|  | ||||
|       peers = [ | ||||
|         { | ||||
|           name = "jupiter-vps"; | ||||
|           allowedIPs = [ "10.0.0.1/32" ]; | ||||
|           publicKey = "BCTr2uWYFr5nAy+VxVQ5SIly6w60dOXY91DpXAMiHjI="; | ||||
|           endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}"; | ||||
|           persistentKeepalive = 25; | ||||
|         } | ||||
|       ]; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
| @@ -26,6 +26,8 @@ | ||||
|     ../common/configs/system/users | ||||
|     ../common/configs/system/zsh | ||||
|  | ||||
|     ./configs/wireguard | ||||
|  | ||||
|     ./users/storm | ||||
|     ./users/nick | ||||
|   ]; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user