diff options
| -rw-r--r-- | hosts/muhammed/configuration.nix | 1 | ||||
| -rw-r--r-- | hosts/muhammed/wireguard/ahmed.nix | 24 | ||||
| -rw-r--r-- | hosts/muhammed/wireguard/default.nix | 5 |
3 files changed, 30 insertions, 0 deletions
diff --git a/hosts/muhammed/configuration.nix b/hosts/muhammed/configuration.nix index be8c71d..12dbef8 100644 --- a/hosts/muhammed/configuration.nix +++ b/hosts/muhammed/configuration.nix @@ -11,6 +11,7 @@ ./remote-builders ./update-git-repos + ./wireguard ]; # Avoid downloading the nixpkgs tarball every hour. diff --git a/hosts/muhammed/wireguard/ahmed.nix b/hosts/muhammed/wireguard/ahmed.nix new file mode 100644 index 0000000..406ff7d --- /dev/null +++ b/hosts/muhammed/wireguard/ahmed.nix @@ -0,0 +1,24 @@ +{metadata, config, ...}: { + networking.wg-quick.interfaces.wg0 = { + # Use the address assigned for us in `hosts/ahmed/wireguard-vpn/default.nix`. + address = ["10.100.0.2"]; + + # Use DNS server set up in `hosts/ahmed/local-dns/default.nix`. + dns = ["10.100.0.1" "1.1.1.1"]; + + privateKeyFile = config.age.secrets.wireguard-key.path; + + peers = [(let + peerInfo = metadata.hosts.ahmed.wireguard; + in { + publicKey = peerInfo.pubkey; + allowedIPs = ["0.0.0.0/0" "::/0"]; + endpoint = "${peerInfo.ipv4Address}:${toString peerInfo.port}"; + persistentKeepalive = 5; # We are a roaming client, they are static. + })]; + + # table = "off"; + }; + + age.secrets.wireguard-key.file = ../../../secrets/wireguard-keys/muhammed.age; +} diff --git a/hosts/muhammed/wireguard/default.nix b/hosts/muhammed/wireguard/default.nix new file mode 100644 index 0000000..0defd83 --- /dev/null +++ b/hosts/muhammed/wireguard/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./ahmed.nix + ]; +} |