balsoft/nixos-config
1
0
Fork 0
Code Issues Releases Wiki Activity

Add wireguard

Browse Source
This commit is contained in:
Alexander Bantyev 2021-03-16 21:34:46 +03:00
parent 97fd1af40f
commit 654f707059
Signed by: balsoft
GPG Key ID: E081FF12ADCB4AD5
2 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/network.nix
View File

@ -1,14 +1,16 @@
{ pkgs, lib, config, ... }:
let
localRanges = [
{ from = 1714; to = 1764; } # KDE connect
localRanges = [{
from = 1714;
to = 1764;
} # KDE connect
];
in {
networking = {
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [ 13748 13722 5000 22 80 443 ];
allowedTCPPorts = [ 13748 13722 5000 22 80 443 51820 ];
interfaces.wlan0.allowedTCPPortRanges = localRanges;
interfaces.wlan0.allowedUDPPortRanges = localRanges;
interfaces.eth0.allowedUDPPortRanges = localRanges;
@ -25,4 +27,31 @@ in {
networking.firewall.trustedInterfaces = [ "eth0" ];
systemd.services.ModemManager.wantedBy =
lib.optional (config.device == "T490s-Laptop") "network.target";
secrets.wireguard-serokell = { };
networking.wireguard.interfaces.serokell = {
listenPort = 51820;
ips = [
"172.20.0.52/32"
# "fd73:7272:ed50::52/128"
];
privateKeyFile = config.secrets.wireguard-serokell.decrypted;
peers = [{
allowedIPs = [
"0.0.0.0/0"
# "::/0"
];
# endpoint = "serokell.net:35944";
endpoint = "147.75.100.17:35944";
publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
persistentKeepalive = 24;
}];
};
# restart when the service fails to resolve DNS
systemd.services.wireguard-serokell.serviceConfig = {
Restart = "on-failure";
RestartSec = "30s";
};
}

4
modules/secrets.nix
View File

@ -35,7 +35,7 @@ let
};
services = mkOption {
type = listOf str;
default = [ "${name}.service" ];
default = [ "${name}" ];
};
__toString = mkOption {
readOnly = true;
@ -87,7 +87,7 @@ let
addDependencies = name: cfg:
with cfg;
genAttrs services (service: rec {
requires = [ "${name}-secrets" ];
requires = [ "${name}-secrets.service" ];
after = requires;
bindsTo = requires;
});