wireguard

2023-02-08 14:59:00 +01:00 · 2023-02-08 14:59:00 +01:00 · 46db7bd979
parent 84f7df9860
commit 46db7bd979
6 changed files with 33 additions and 0 deletions
--- a/hosts/lkk-nix-1/default.nix
+++ b/hosts/lkk-nix-1/default.nix
@ -20,6 +20,7 @@
      to = 3100;
    }];
    firewall.allowedTCPPorts = [ 80 443 5432 3306 3478 ];
+    firewall.allowedUDPPorts = [ 51820 ];
    firewall.allowedUDPPortRanges = [{
      from = 3478;
      to = 3481;
@ -52,6 +53,10 @@
        mode = "770";
        owner = "searx";
      };
+      wg-easy-environmentFile = {
+        file = ../../secrets/wg-easy-environmentFile.age;
+        mode = "770";
+      };
    };
    identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
  };
--- a/hosts/lkk-nix-1/services/containers/default.nix
+++ b/hosts/lkk-nix-1/services/containers/default.nix
@ -3,5 +3,6 @@
    ./baserow.nix
    ./matomo.nix
    ./wordpress.nix
+    ./wireguard.nix
  ];
 }
--- a/hosts/lkk-nix-1/services/containers/wireguard.nix
+++ b/hosts/lkk-nix-1/services/containers/wireguard.nix
@ -0,0 +1,14 @@
+{ config, outputs, ... }: {
+  virtualisation.oci-containers.containers."wireguard" = {
+    image = "weejewel/wg-easy";
+    environment = { WG_HOST = "wg.lanakk.com"; };
+    ports = [ "3007:51821/tcp" "51820:51820/udp" ];
+    volumes = [ "wireguard_data:/etc/wireguard" ];
+    extraOptions = [
+      "--cap-add=NET_ADMIN"
+      "--cap-add=SYS_MODULE"
+      "--sysctl=net.ipv4.conf.all.src_valid_mark=1"
+      "--sysctl=net.ipv4.ip_forward=1"
+    ];
+  };
+}
--- a/hosts/lkk-nix-1/services/traefik.nix
+++ b/hosts/lkk-nix-1/services/traefik.nix
@ -42,6 +42,7 @@
          searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }];
          nextcloud.loadBalancer.servers = [{ url = "http://localhost:3005/"; }];
          invidious.loadBalancer.servers = [{ url = "http://localhost:3006/"; }];
+          wireguard.loadBalancer.servers = [{ url = "http://localhost:3007/"; }];
        };
        routers = {
          api = {
@ -111,6 +112,16 @@
            service = "invidious";
            entrypoints = "websecure";
          };
+          wireguard = {
+            rule = "Host(`wg.lanakk.com`)";
+            tls = {
+              certResolver = "godaddy";
+              domains = "wg.lanakk.com";
+            };
+            service = "wireguard";
+            middlewares = "auth";
+            entrypoints = "websecure";
+          };
        };
      };
    };
--- a/secrets.nix
+++ b/secrets.nix
@ -10,4 +10,6 @@ in {
  "godaddy-api-secret.age".publicKeys = [ root ];

  "searx-environmentFile.age".publicKeys = [ root ];
+
+  "wg-easy-environmentFile.age".publicKeys = [ root ];
 }
--- a/secrets/wg-easy-environmentFile.age
+++ b/secrets/wg-easy-environmentFile.age