simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

Parameterise wireguard

restic-rest-server
Simon Bruder 2020-12-05 14:39:36 +01:00
parent 8a63f8aac4
commit 74ddf83617
No known key found for this signature in database
GPG Key ID: 6F03E0000CC5B62F
6 changed files with 46 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
machines/nunotaba/configuration.nix
View File

@ -16,6 +16,10 @@
sbruder = { sbruder = {
gui = true; gui = true;
restic.enable = true; restic.enable = true;
wireguard.home = {
enable = true;
address = "10.80.0.4";
};
}; };
boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN"; boot.loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
@ -30,6 +34,4 @@
}; };
networking.hostName = "nunotaba"; networking.hostName = "nunotaba";
networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
} }

6
machines/sayuri/configuration.nix
View File

@ -16,6 +16,10 @@
sbruder = { sbruder = {
gui = true; gui = true;
restic.enable = true; restic.enable = true;
wireguard.home = {
enable = true;
address = "10.80.0.5";
};
}; };
boot.loader.grub.device = "/dev/disk/by-id/ata-MTFDDAK256TBN-1AR15ABHA_UFZMQ01ZR50NMM"; boot.loader.grub.device = "/dev/disk/by-id/ata-MTFDDAK256TBN-1AR15ABHA_UFZMQ01ZR50NMM";
@ -41,6 +45,4 @@
}; };
networking.hostName = "sayuri"; networking.hostName = "sayuri";
networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.5/24" ];
} }

1
modules/default.nix
View File

@ -27,6 +27,7 @@
./tools.nix ./tools.nix
./udev.nix ./udev.nix
./web.nix ./web.nix
./wireguard
]; ];
config = { config = {

11
modules/prometheus/node_exporter.nix
View File

@ -1,17 +1,8 @@
{ config, ... }: { config, ... }:
let
vpnNetRanges = config.networking.wireguard.interfaces.wg-home.ips;
vpnNetRange = builtins.elemAt vpnNetRanges 0;
vpnAddress = builtins.elemAt (builtins.split "/" vpnNetRange) 0;
in
{ {
imports = [
../wireguard/home.nix
];
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
listenAddress = vpnAddress; listenAddress = config.sbruder.wireguard.home.address;
enabledCollectors = [ "systemd " ]; enabledCollectors = [ "systemd " ];
}; };

7
modules/wireguard/default.nix Normal file
View File

@ -0,0 +1,7 @@
{
imports = [
./home.nix
];
networking.wireguard.enable = true;
}

52
modules/wireguard/home.nix
View File

@ -1,28 +1,34 @@
# Module for setting up the shared part of my home wireguard network. { lib, config, ... }:
# Every machine using this still has to set the `ips` for the `wg-home` let
# interface and place the private key in their secrets directory as cfg = config.sbruder.wireguard.home;
# `wg-home_private_key` in
#
# Example:
#
# networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ];
{ config, ... }:
{ {
networking.wireguard = { options = {
enable = true; sbruder.wireguard.home = {
interfaces = { enable = lib.mkEnableOption "WireGuard tunnel wg-home";
wg-home = { address = lib.mkOption {
privateKeyFile = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key); type = lib.types.str;
peers = [ description = "IP(v4) address of the host";
{ example = "10.80.0.1";
allowedIPs = [ "10.80.0.0/24" ]; };
publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA="; privateKeyFile = lib.mkOption {
endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred type = lib.types.str;
persistentKeepalive = 25; description = "Private key file";
} default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
];
}; };
}; };
}; };
config.networking.wireguard.interfaces.wg-home = lib.mkIf cfg.enable {
privateKeyFile = cfg.privateKeyFile;
ips = [ "${cfg.address}/24" ];
peers = [
{
allowedIPs = [ "10.80.0.0/24" ];
publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred
persistentKeepalive = 25;
}
];
};
} }