steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP: set up bpir3

Browse source
This commit is contained in:
steveej 2023-08-22 10:20:16 +02:00
parent 2bedcc0fd3
commit 3cd0eb718e
6 changed files with 96 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -3,8 +3,11 @@
lib,
config,
repoFlake,
nodeName,
...
}: {
}: let
wireguardPort = 51820;
in {
networking.firewall.enable = true;
networking.nftables.enable = true;
@ -12,6 +15,10 @@
# iperf3
5201
];
networking.firewall.allowedUDPPorts = [
wireguardPort
];
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
@ -54,7 +61,7 @@
networking.nat = {
enable = true;
internalInterfaces = ["ve-*"];
internalInterfaces = ["ve-*" "wg*"];
externalInterface = "eth0";
};
@ -64,6 +71,28 @@
meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340;
'';
sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
# eth0 MTU (1400) - 80
mtu = 1320;
ips = [
"192.168.99.1/31"
];
listenPort =
wireguardPort;
privateKeyFile = config.sops.secrets.wg0-private.path;
peers = [
{
allowedIPs = ["192.168.99.2/32"];
publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
}
];
};
# virtualization
virtualisation = {docker.enable = false;};