
58 lines
1.7 KiB
Raw Normal View History

{ config, pkgs, hostsPath, ... }:
2023-07-28 17:08:13 +03:00
tatosData = import (hostsPath + "/tatos/data.secret.nix");
istalData = import (hostsPath + "/istal/data.secret.nix");
2023-07-28 17:08:13 +03:00
inherit (istalData.wireguard) port;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
# enable NAT
networking.nat = {
enable = true;
externalInterface = "enp0s5";
internalInterfaces = [ "wg0" ];
networking.wg-quick.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
address = [ "" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = port;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postUp = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s5 -j MASQUERADE
# This undoes the above command
preDown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s5 -j MASQUERADE
# Path to the private key file.
privateKeyFile = config.age.secrets.wireguard-istal-private.path;
peers = [
2023-07-29 17:21:48 +03:00
publicKey = tatosData.wireguard.publicKey;
2023-07-28 17:08:13 +03:00
allowedIPs = [ "" ];
2023-07-29 17:21:48 +03:00
endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}";
2023-07-28 17:08:13 +03:00
persistentKeepalive = 25;
age.secrets.wireguard-istal-private = {
2024-04-16 02:51:46 +03:00
file = ./wireguard-istal-private.age;
2023-07-28 17:08:13 +03:00
mode = "0400";