nix-config/hosts/cirrus/wireguard-server.nix

{ config, ... }:
{
  networking.firewall = {
    allowedUDPPorts = [
      # wireguards
      51820
      51821
      34197
    ];
    allowedTCPPorts = [
      # port forward ssh to music
      2020
    ];
    # port-forward ssh to the music machine
    extraCommands = ''
      iptables -t nat -I PREROUTING -p tcp --dport 2020 -j DNAT --to-destination 10.34.45.101:22
      iptables -t nat -I PREROUTING -p udp --dport 34197 -j DNAT --to-destination 10.34.45.111:34197
      iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
    '';
    extraStopCommands = ''
      iptables -t nat -D PREROUTING -p tcp --dport 2020 -j DNAT --to-destination 10.34.45.101:22 || true
      iptables -t nat -D PREROUTING -p udp --dport 34197 -j DNAT --to-destination 10.34.45.111:34197 || true
    '';
  };


  networking.wireguard.enable = true;

  systemd.network = {
    # oxalab
    netdevs."oxalab" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "oxalab";
        Description = "oxa's enterprise network";
      };
      wireguardConfig = {
        PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
        ListenPort = 51820;
        # own pubkey: 5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=
      };
      wireguardPeers = [
        {
          # microwave
          wireguardPeerConfig = {
            PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc=";
            AllowedIPs = [ "10.66.66.10/32" ];
            PersistentKeepalive = 25;
          };
        }
        {
          # Dishwasher
          wireguardPeerConfig = {
            PublicKey = "AdWUBbyeRkxdP9HUu25PpISoxbgQ8oeCw3BmV93xtAw=";
            AllowedIPs = [ "10.66.66.100/32" ];
            PersistentKeepalive = 25;
          };
        }
      ];
    };
    networks."oxalab" = {
      matchConfig.Name = "oxalab";
      networkConfig = {
        Address = "10.66.66.1/24";
        IPForward = "ipv4";
      };
    };


    # oxaproxy
    netdevs."oxaproxy" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "oxaproxy";
        Description = "oxa's enterprise reverse-proxy network";
      };
      wireguardConfig = {
        PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
        #own pubkey 0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=
        ListenPort = 51821;
      };
      wireguardPeers = [
        # nextcloud
        {
          wireguardPeerConfig = {
            PublicKey = "KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=";
            AllowedIPs = [ "10.34.45.100/32" ];
            PersistentKeepalive = 25;
          };
        }
        # music
        {
          wireguardPeerConfig = {
            PublicKey = "vQNkp51S9qLsu97dLPj0/EqFwvVtRFZpMHufgKhxum0=";
            AllowedIPs = [ "10.34.45.101/32" ];
            PersistentKeepalive = 25;
          };
        }
        # news
        {
          wireguardPeerConfig = {
            PublicKey = "guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=";
            AllowedIPs = [ "10.34.45.102/32" ];
            PersistentKeepalive = 25;
          };
        }
        {
          wireguardPeerConfig = {
            PublicKey = "6rwSThPEfTyYvMVSnHNcNPRntCHEQFyscF2SodI8A34=";
            AllowedIPs = [ "10.34.45.111/32" ];
            PersistentKeepalive = 25;
          };
        }
      ];
    };
    networks."oxaproxy" = {
      matchConfig.Name = "oxaproxy";
      networkConfig = {
        Address = "10.34.45.1/24";
      };
    };
  };
}
oxalab: init 2022-06-18 11:49:27 +02:00			`{ config, ... }:`
			`{`
add port forward for music 2023-01-30 23:30:48 +01:00			`networking.firewall = {`
			`allowedUDPPorts = [`
			`# wireguards`
			`51820`
			`51821`
add reverse proxy for factorio 2023-06-16 13:33:20 +02:00			`34197`
add port forward for music 2023-01-30 23:30:48 +01:00			`];`
			`allowedTCPPorts = [`
			`# port forward ssh to music`
			`2020`
			`];`
			`# port-forward ssh to the music machine`
			`extraCommands = ''`
			`iptables -t nat -I PREROUTING -p tcp --dport 2020 -j DNAT --to-destination 10.34.45.101:22`
add reverse proxy for factorio 2023-06-16 13:33:20 +02:00			`iptables -t nat -I PREROUTING -p udp --dport 34197 -j DNAT --to-destination 10.34.45.111:34197`
nat: exclude lo from masquerade 2023-02-08 16:38:58 +01:00			`iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE`
add port forward for music 2023-01-30 23:30:48 +01:00			`'';`
			`extraStopCommands = ''`
			`iptables -t nat -D PREROUTING -p tcp --dport 2020 -j DNAT --to-destination 10.34.45.101:22 \|\| true`
add reverse proxy for factorio 2023-06-16 13:33:20 +02:00			`iptables -t nat -D PREROUTING -p udp --dport 34197 -j DNAT --to-destination 10.34.45.111:34197 \|\| true`
add port forward for music 2023-01-30 23:30:48 +01:00			`'';`
			`};`


explicitly enable wireguard 2022-06-18 11:57:32 +02:00			`networking.wireguard.enable = true;`
add port forward for music 2023-01-30 23:30:48 +01:00
oxalab: init 2022-06-18 11:49:27 +02:00			`systemd.network = {`
oxaproxy: init 2022-06-19 22:09:13 +02:00			`# oxalab`
oxalab: init 2022-06-18 11:49:27 +02:00			`netdevs."oxalab" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "oxalab";`
			`Description = "oxa's enterprise network";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;`
			`ListenPort = 51820;`
			`# own pubkey: 5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=`
			`};`
			`wireguardPeers = [`
			`{`
Revert "retire toaster, refactor a bit" This reverts commit 5b47cc39c1d94d52a791e681fa3152754b9818cd. 2024-12-31 14:00:49 +00:00			`# microwave`
oxalab: init 2022-06-18 11:49:27 +02:00			`wireguardPeerConfig = {`
nixpkgs-fmt 2022-06-26 21:19:15 +02:00			`PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc=";`
			`AllowedIPs = [ "10.66.66.10/32" ];`
			`PersistentKeepalive = 25;`
			`};`
oxalab: init 2022-06-18 11:49:27 +02:00			`}`
			`{`
			`# Dishwasher`
			`wireguardPeerConfig = {`
nixpkgs-fmt 2022-06-26 21:19:15 +02:00			`PublicKey = "AdWUBbyeRkxdP9HUu25PpISoxbgQ8oeCw3BmV93xtAw=";`
			`AllowedIPs = [ "10.66.66.100/32" ];`
			`PersistentKeepalive = 25;`
			`};`
oxalab: init 2022-06-18 11:49:27 +02:00			`}`
			`];`
			`};`
			`networks."oxalab" = {`
			`matchConfig.Name = "oxalab";`
			`networkConfig = {`
set prefix size explicitly 2022-06-18 17:09:07 +02:00			`Address = "10.66.66.1/24";`
fix routing 2022-06-18 17:24:09 +02:00			`IPForward = "ipv4";`
oxalab: init 2022-06-18 11:49:27 +02:00			`};`
			`};`
oxaproxy: init 2022-06-19 22:09:13 +02:00

			`# oxaproxy`
			`netdevs."oxaproxy" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "oxaproxy";`
			`Description = "oxa's enterprise reverse-proxy network";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;`
			`#own pubkey 0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=`
			`ListenPort = 51821;`
			`};`
oxaproxy: add nextcloud 2022-06-26 21:06:43 +02:00			`wireguardPeers = [`
			`# nextcloud`
			`{`
nixpkgs-fmt 2022-06-26 21:19:15 +02:00			`wireguardPeerConfig = {`
			`PublicKey = "KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=";`
			`AllowedIPs = [ "10.34.45.100/32" ];`
			`PersistentKeepalive = 25;`
			`};`
			`}`
music: init 2023-01-24 20:40:41 +01:00			`# music`
			`{`
			`wireguardPeerConfig = {`
			`PublicKey = "vQNkp51S9qLsu97dLPj0/EqFwvVtRFZpMHufgKhxum0=";`
			`AllowedIPs = [ "10.34.45.101/32" ];`
			`PersistentKeepalive = 25;`
			`};`
			`}`
add news 2023-05-15 16:50:29 +02:00			`# news`
			`{`
			`wireguardPeerConfig = {`
			`PublicKey = "guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=";`
			`AllowedIPs = [ "10.34.45.102/32" ];`
			`PersistentKeepalive = 25;`
			`};`
			`}`
add reverse proxy for factorio 2023-06-16 13:33:20 +02:00			`{`
			`wireguardPeerConfig = {`
			`PublicKey = "6rwSThPEfTyYvMVSnHNcNPRntCHEQFyscF2SodI8A34=";`
			`AllowedIPs = [ "10.34.45.111/32" ];`
			`PersistentKeepalive = 25;`
			`};`
			`}`
oxaproxy: add nextcloud 2022-06-26 21:06:43 +02:00			`];`
oxaproxy: init 2022-06-19 22:09:13 +02:00			`};`
			`networks."oxaproxy" = {`
			`matchConfig.Name = "oxaproxy";`
			`networkConfig = {`
			`Address = "10.34.45.1/24";`
			`};`
			`};`
oxalab: init 2022-06-18 11:49:27 +02:00			`};`
			`}`