[fugitive] Add wireguard interface

2023-09-28 20:38:04 +02:00
parent 1935ac96f3
commit fc14adf077
1 changed files with 25 additions and 3 deletions
--- a/lib/systems/fugitive/default.nix
+++ b/lib/systems/fugitive/default.nix
@@ -6,6 +6,14 @@ let
    ssh = [ 2322 2323 2324 ];
    gitea = 10010;
    headscale = 10020;
+    wg0 = 51820;
+  };
+
+  pubkeys = {
+    labyrinth = {
+      wg = "fGP6Iebdk31dDtreRmvrur+9IzRL56v3N/sw1ILGPSk=";
+      nix = "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0=";
+    };
  };

 in
@@ -41,6 +49,22 @@ in
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPorts = [ ports.wg0 ];
+  };
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = ["10.11.12.1/24" ];
+      listenPort = ports.wg0;
+      privateKeyFile = "/srv/wireguard/wg0.private";
+      generatePrivateKeyFile = true;
+
+      peers = [{
+        publicKey = pubkeys.labyrinth.wg;
+        allowedIPs = [ "10.11.12.2/32" ];
+      }];
+    };
  };

  security = {
@@ -58,9 +82,7 @@ in

  nix.settings = {
    trusted-users = [ "@wheel" ];
-    trusted-public-keys = [
-      "labyrinth-1:GCR2h5k9WFvome2mrFRBtiWw7sAn+pYZwXRwAj9W0b0="
-    ];
+    trusted-public-keys = [ pubkeys.labyrinth.nix ];
  };

  environment.systemPackages = with pkgs; [