mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 03:18:45 +08:00
services.wireguard: init
This commit is contained in:
parent
cb849daf0a
commit
b1d885f62c
@ -211,6 +211,7 @@
|
||||
nginx.transparentProxy.externalIp = [ "192.168.82.3" ];
|
||||
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
|
||||
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
};
|
||||
bugs =
|
||||
[
|
||||
@ -285,6 +286,7 @@
|
||||
httpua.enable = true;
|
||||
mirism.enable = true;
|
||||
fail2ban.enable = true;
|
||||
wireguard = { enable = true; peers = [ "pc" ]; };
|
||||
};
|
||||
};})
|
||||
];
|
||||
|
||||
@ -38,6 +38,7 @@ inputs:
|
||||
./gitlab.nix
|
||||
./grafana.nix
|
||||
./fail2ban.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
|
||||
65
modules/services/wireguard.nix
Normal file
65
modules/services/wireguard.nix
Normal file
@ -0,0 +1,65 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.wireguard = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
|
||||
_peer = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
publicKey = mkOption { type = types.nonEmptyStr; };
|
||||
wireguardIp = mkOption { type = types.nonEmptyStr; };
|
||||
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
lighthouse = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
readOnly = true;
|
||||
default = # wg genkey | wg pubkey
|
||||
{
|
||||
vps6 =
|
||||
{
|
||||
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
|
||||
wireguardIp = "192.168.83.1";
|
||||
externalIp = "74.211.99.69";
|
||||
lighthouse = true;
|
||||
};
|
||||
vps7 =
|
||||
{
|
||||
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
|
||||
wireguardIp = "192.168.83.2";
|
||||
externalIp = "95.111.228.40";
|
||||
};
|
||||
pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; };
|
||||
nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) wireguard;
|
||||
inherit (builtins) map;
|
||||
in mkIf wireguard.enable
|
||||
{
|
||||
networking =
|
||||
{
|
||||
firewall.allowedUDPPorts = [ 51820 ];
|
||||
wireguard.interfaces.wireguard =
|
||||
{
|
||||
ips = [ "${wireguard._peer.${inputs.config.nixos.system.networking.hostname}.wireguardIp}/24" ];
|
||||
listenPort = 51820;
|
||||
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
|
||||
peers = map
|
||||
(peer:
|
||||
{
|
||||
publicKey = peer.publicKey;
|
||||
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
|
||||
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
|
||||
persistentKeepalive = 3;
|
||||
})
|
||||
(map (peer: wireguard._peer.${peer}) wireguard.peers);
|
||||
};
|
||||
};
|
||||
sops.secrets."wireguard/privateKey" = {};
|
||||
};
|
||||
}
|
||||
@ -17,6 +17,8 @@ nginx:
|
||||
detectAuth:
|
||||
chn: ENC[AES256_GCM,data:44vsExbVhO3gnD4Gme92eQ==,iv:LyDvZebs1sDL1/hZQiZdHoPBm4hXtBy56jR73zSH6Aw=,tag:w5xPHnK9XOSS0+97q8b5gQ==,type:str]
|
||||
maxmind-license: ENC[AES256_GCM,data:JbAnFQiDcJGwvb89sG2ro77nwwOWcDnqVcA902jwb2zzZci7PpXROw==,iv:eifkWK0oN73Ekn3oWzy6XbYK2GU+4tlnLPJ+96WOWJY=,tag:35ulsshxtUfOsSQOLgAt0g==,type:str]
|
||||
wireguard:
|
||||
privateKey: ENC[AES256_GCM,data:VPlB4wSbWqSYw3rYRwfAMa39xrPcPZfz7sV2Cq3rmOhifnUPwggxnA+51do=,iv:utnyrB6Yfe5O94Oq4HDVFm/lQ9ZBoyvUT68r2G2PdwA=,tag:snm01vA+z2yKK8d2i5i2ig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -41,8 +43,8 @@ sops:
|
||||
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
|
||||
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-17T14:11:34Z"
|
||||
mac: ENC[AES256_GCM,data:8ii7sqkHlhdCAqBoDZEBU7Q6gNe6qyOby2ADyX5uaHu7kKe95+lCa14iqLZV5ekjIiNuTWLjOMmHtuZN5OiRVDIsmNMWKDv7Drt3CVpDv0dLC1Za0gNn7asmNnFh1Esfr1eLJuN09UY4qKN+LFbz4phxLh+f1CZBKTVTH5dHsbo=,iv:vnb/UB6miHo0D7HGGVxnoE0+kS+SRmFijPnlKIAmbuI=,tag:oQ9/JjG5Sn+y/bLxswOGaQ==,type:str]
|
||||
lastmodified: "2023-12-07T08:57:07Z"
|
||||
mac: ENC[AES256_GCM,data:Ihd7p3JU6zwn5tI3XkINrNJcsxdFjTsLdVpZLUvQez2jiNWq1kGP4QeJSBzqq/1Sgowc/PdWULlw8T21LitQalhBwaODVt/dNk0gkHYqrlDMVD90/MthAPKy+vT4YLhBkDC5W00em1qEfLYo5IXazM/0e1aZ7QcwEpp5775ICPc=,iv:Yp32/LLdcDHxdmXnwqJ6OiOm/4mipMlccSRXMMgO8gc=,tag:5T5R4JiJUsbKGrHjfVw92Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
||||
@ -18,6 +18,8 @@ meilisearch:
|
||||
misskey-misskey: ENC[AES256_GCM,data:/wYR3Bz4LRk/Ks0vizlZS3Ebf5qVfnlBBqZEm/ZIBFdDuhddgu71cqCjTHIKQ6CYh3CoUyguKIIFWku/kOCHKA==,iv:dllKvZwxvZC4pVyEMOB9WNiVBsVxzo5kwbdYKCzzyrY=,tag:MvzqalVvBkyJoLbirN0V8Q==,type:str]
|
||||
nebula:
|
||||
key: ENC[AES256_GCM,data:kNm9hwMa/EhDeOCeZw1jEnroolTkeEeAxpSEDko6tHSDHwHbhfjr01ZzHKE=,iv:q2qCi99XgZJvRuF1dm16sK6BFIoa9QUN8p4LSiZq28o=,tag:ApOKdA91LBiWHv6TuXMkpA==,type:str]
|
||||
wireguard:
|
||||
privateKey: ENC[AES256_GCM,data:oIpiXJvEoyryS4eEutoe85Af0L5a5iNuOsCWCat9KEhr2ecY/vRimk/1fbA=,iv:dm2hTSNX7Q38yASon5o1jxEJZbWPXUWYydXYMBHF/sE=,tag:yrANhwIF/wHQGHGA1bfPgw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -42,8 +44,8 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-11T11:10:21Z"
|
||||
mac: ENC[AES256_GCM,data:ro3ROIx/9+pnS2Cdz44NKYZ0kDDdLPZJyXkBpYSuCrkotLzyDrx9Kjx1FR4CrQQeA4hOPQ9Z5qJVC1shef+UgwDwemiUhR3zq9BQv0PmsRYilT19o2W9tmgfbM0NiXISeN9w0MttlBUASq7mBUDbTFRViL9fAppRixkANLxVxmw=,iv:YR6QQNYQoK3v6RHUUWerM2cXU5oYQkSRfr58QDnw5H4=,tag:6Ig+RlVySAYEEiZTo8bs3A==,type:str]
|
||||
lastmodified: "2023-12-07T08:55:33Z"
|
||||
mac: ENC[AES256_GCM,data:3WDgwrlyzb0QfhCpGEKSguLZpRE68APpUclQaP4/2O5pX8E/HZ9tXVQNNVeOqozHWIe8sM5/kvY4vXEiXc1t2qrJk4JdPNI7fMIWf7QAYQWcFDNbSquUNp1VSmNp3Aka3xSS1wyVWnQOs6JY9rdbmeOcLQq0jE2sNDvivtBeJJQ=,iv:xt94toLZ91J9Twigu4FiyeYIg27u9oPkzduCUaLIgts=,tag:chf+LnNJMrnMf191BorOvg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
||||
@ -74,6 +74,8 @@ coturn:
|
||||
auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
|
||||
nebula:
|
||||
key: ENC[AES256_GCM,data:1zvyGKsyJESAbf6tUCy6hX93rDXEYNA5QBsqV4Ag4+cksToQ5IubchciQt4=,iv:ZG+pCofTTGx6LcJ05qohotRcX6MK4JsUzL2DfmKE4eI=,tag:o/Vm72d4QbfLXoSVwXZYhw==,type:str]
|
||||
wireguard:
|
||||
privateKey: ENC[AES256_GCM,data:4DKPPqQkjb33rQzFIz863A2arDRQA9AivWFBaWTf0xXDX4hWvJFiIlJQfvE=,iv:0R2TH3CMxHgwVjojzjE2Gnp8SXonmBDLWF7hB33NiX0=,tag:vgtV8JkuCdspleN/SvgIqQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -98,8 +100,8 @@ sops:
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-27T10:46:22Z"
|
||||
mac: ENC[AES256_GCM,data:renVu1WSVq06Yt5XAfTHhk4wZDxzwzROlstyc3HNiK3pUbXlJVIEXRBkSVa9i2YUWNAxRikjRVhpSOM9X1a5Yd9PLhOQx/jL3Ld2EwOScwI3Z1CGZ3JE1mtfBYA4O+idAywiu/Wy5T7VoeGWAfCP5/aByudlIiyK6JUCnkVNU18=,iv:EwpazsOCsv/5w2FcWZgiY/2Fin8TkmdYrfVjSx7ubFU=,tag:7xRyw4+HvfLQouV//dJhNA==,type:str]
|
||||
lastmodified: "2023-12-07T08:48:29Z"
|
||||
mac: ENC[AES256_GCM,data:0NVIoehQiamRpbmlU/D7Ixu472/z+m0pmRgJFN9meVPuX+Xb8lSuBjzH2cDwlAIi5wRsOUpDZebpnqAoxk0tU6Dysgsm74hZnpADq7xbumFwxK4xL6mXcOxxC01YE5MOpjjPlpEdFJ973PwPhgYhpu3ek+Yip97PIkMo4JAc/Nc=,iv:8aIaCTeisuafn+JT2HGk/E0lSAGE23HvCbdpk30yiXM=,tag:tOR2D+LK/c0GRXvepsgtKw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
||||
@ -90,6 +90,8 @@ gitlab:
|
||||
grafana:
|
||||
secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
|
||||
chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
|
||||
wireguard:
|
||||
privateKey: ENC[AES256_GCM,data:uMJ6TQOZrWEkeSWLF1KnN5/x2eQFIiaCDrr6Xt1bNfRAzY4l/ljYXBwzkann,iv:IY6lPxT4359QGeTDBENIOWaRZx1bMHh6xSu8/GvVsUY=,tag:3W+vU8jpQHle8/3eyAsfUQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -114,8 +116,8 @@ sops:
|
||||
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
|
||||
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-20T15:47:13Z"
|
||||
mac: ENC[AES256_GCM,data:n8vx3iRkmku3bOkkglONc8VHQTXSbO0jVrjrKEXwjvNnfk7mwBXK2YNu622V2Ap2BhmHvQjxD9Du/r2UE2+d5saCjtkhlt/HLQZlbjtiguL9xQj1qSG2MiU4kIC6rsKpNc9Ae93fOQ/LGjdIhZT6V5LNERyX84nbeXzCTBwRNbU=,iv:TAiBT2JKtFVwl8XrQ7Bl2Go9T6JC/tCQP747lAPtq+M=,tag:eIueYKVPBsX6iiT2pxv2+g==,type:str]
|
||||
lastmodified: "2023-12-07T08:53:58Z"
|
||||
mac: ENC[AES256_GCM,data:aon0ssJEEFBN7XEdvtFgVFVv5mPSeGxJdBCTIxj3eAUbFIuUKvjAz8jbIiMEZNHw7SQxNRbWO57zQmxwnHswWYtMYEgQO4nvZl7gOMvKqErh4rtltUHxmmG0Uv/ORZjqbebkiUN/UdiPPubICqrSAmdL1V/Irj1m7wD4KGcjF64=,iv:FV2YYKchx3qudpARV74P255i3L/sI/TnLqN6mlEC2ts=,tag:mqRLRvJyoRDcS5Heogx85A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user