CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: router: wireguard: change wg0 subnets to not conflict with opnsense

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-05-29 22:01:38 -07:00
parent 378d3a53b3
commit fd1e7b4724
Signed by: CaZzzer
SSH Key Fingerprint: SHA256:sqXB3fe0LMpfH+IeM/vlmxKdso52kssrIJBlwKXVe1U
3 changed files with 25 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -0,0 +1,5 @@
### Nix template
# Ignore build outputs from performing a nix-build or `nix build` command
result
result-*

12
hosts/router/vars.nix
View File

@ -99,6 +99,18 @@ rec {
}; };
}; };
wg = {
wg0 = rec {
name = "wg0";
p4 = "10.18.16"; # .0/24
addr4 = "${p4}.1";
addr4Sized = "${addr4}/24";
p6 = "${pdFromWan}f::6"; # :0:0/96
addr6 = "${p6}:0:1";
addr6Sized = "${addr6}/96";
};
};
extra = { extra = {
opnsense = rec { opnsense = rec {
addr4 = "${ifs.lan.p4}.250"; addr4 = "${ifs.lan.p4}.250";

20
hosts/router/wireguard.nix
View File

@ -1,25 +1,27 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
vars = import ./vars.nix; vars = import ./vars.nix;
wg0 = vars.wg.wg0;
wg0Peers = { wg0Peers = {
"Yura-TPX13" = { "Yura-TPX13" = {
allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ]; allowedIPs = [ "${wg0.p4}.3/32" "${wg0.p6}:3:0/112" ];
publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08="; publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
pskEnabled = true; pskEnabled = true;
}; };
"Yura-Pixel7Pro" = { "Yura-Pixel7Pro" = {
allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ]; allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4="; publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
pskEnabled = true; pskEnabled = true;
}; };
"AsusS513" = { "AsusS513" = {
allowedIPs = [ "10.6.0.100/32" ]; allowedIPs = [ "${wg0.p4}.100/32" ];
publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38="; publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
pskEnabled = false; pskEnabled = false;
}; };
}; };
peerSecretName = name: "wg0-peer-${name}-psk"; peerSecretName = name: "wg0-peer-${name}-psk";
secrets = config.secrix.services.systemd-networkd.secrets;
in in
{ {
secrix.services.systemd-networkd.secrets = let secrix.services.systemd-networkd.secrets = let
@ -34,10 +36,7 @@ in
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age; wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
} // peerSecrets; } // peerSecrets;
systemd.network.netdevs = let systemd.network.netdevs = {
secrets = config.secrix.services.systemd-networkd.secrets;
in
{
"10-wg0" = { "10-wg0" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
@ -47,10 +46,7 @@ in
PrivateKeyFile = secrets.wg0-private-key.decrypted.path; PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
ListenPort = 18596; ListenPort = 18596;
}; };
wireguardPeers = let wireguardPeers = map (peer: {
secrets = config.secrix.services.systemd-networkd.secrets;
in
map (peer: {
AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs; AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
PublicKey = peer.value.publicKey; PublicKey = peer.value.publicKey;
PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null; PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
@ -64,7 +60,7 @@ in
networkConfig = { networkConfig = {
IPv4Forwarding = true; IPv4Forwarding = true;
IPv6SendRA = false; IPv6SendRA = false;
Address = [ "10.6.0.1/24" "${vars.extra.opnsense.p6}::6:0:1/96" ]; Address = [ wg0.addr4Sized wg0.addr6Sized ];
}; };
}; };
}; };