60 lines
1.7 KiB
Nix
60 lines
1.7 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib;
|
|
with lib.custom; let
|
|
cfg = config.services.wg;
|
|
in {
|
|
options.services.wg = with types; {
|
|
enable = mkBoolOpt false "Enable wg service(s)";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.nat.enable = false;
|
|
networking.nat.externalInterface = "enp5s0";
|
|
networking.nat.internalInterfaces = ["wg0"];
|
|
networking.firewall = {
|
|
allowedUDPPorts = [51820];
|
|
|
|
extraCommands = ''
|
|
# Allow WireGuard peer to access only Jellyfin
|
|
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -s 10.100.0.2 -d 192.168.1.83 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -s 10.100.0.3 -d 192.168.1.83 -j ACCEPT
|
|
'';
|
|
|
|
extraStopCommands = ''
|
|
# Clean up rules when stopping
|
|
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -s 10.100.0.2 -d 192.168.1.83 -j ACCEPT
|
|
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -s 10.100.0.3 -d 192.168.1.83 -j ACCEPT
|
|
'';
|
|
};
|
|
|
|
networking.wireguard.interfaces = {
|
|
wg0 = {
|
|
ips = ["10.100.0.1/24"];
|
|
|
|
listenPort = 51820;
|
|
|
|
privateKeyFile = "/home/zoey/wg-keys/private";
|
|
|
|
peers = [
|
|
# List of allowed peers.
|
|
{
|
|
# Feel free to give a meaning full name
|
|
# Public key of the peer (not a file path).
|
|
publicKey = "oxcliwRzjiYda7x90lv71R/PnnPxIWSVIjSjiv2DyBQ=";
|
|
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
|
allowedIPs = ["10.100.0.2/32" "192.168.1.83/32"];
|
|
}
|
|
{
|
|
publicKey = "+lWaMyRJOmijb3pSe8iufFO3lw2VW62uCn/ckJyAUxk=";
|
|
allowedIPs = ["10.100.0.3/32" "192.168.1.83/32"];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|