commit 6cc1c448b22533356ab75b3c66bf25a44f7409bb
parent 159db097be3a1375b72c2d23247251e3d22fab77
Author: Katja (zaphyra) <git@ctu.cx>
Date: Thu, 29 May 2025 18:20:31 +0200
parent 159db097be3a1375b72c2d23247251e3d22fab77
Author: Katja (zaphyra) <git@ctu.cx>
Date: Thu, 29 May 2025 18:20:31 +0200
hosts/novus: add wireguard-tunnel for home-network
1 file changed, 56 insertions(+), 0 deletions(-)
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -28,6 +28,7 @@ { inputs, config, + lib, pkgs, ... }: @@ -35,14 +36,20 @@ boot.initrd.systemd.emergencyAccess = true; boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernel.sysctl."net.ipv6.conf.all.proxy_ndp" = true; sops.secrets = { + wireguardPrivKey = { + owner = "systemd-network"; + group = "systemd-network"; + }; "resticEnv/novus" = { sopsFile = inputs.self.sopsSecrets.common; }; }; modules = { + security.kernel = false; filesystem.rootDisk = { enable = true; encrypt = true; @@ -86,6 +93,55 @@ users.katja.enable = true; }; + networking.firewall = { + allowedUDPPorts = [ + config.systemd.network.netdevs."20-wg0".wireguardConfig.ListenPort + ]; + trustedInterfaces = [ + "wg0" + ]; + }; + + systemd.network = { + config.networkConfig = { + IPv6Forwarding = true; + }; + + netdevs."20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wireguardPrivKey.path; + ListenPort = 51820; + FirewallMark = 51820; + }; + + wireguardPeers = [ + { + PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; + AllowedIPs = [ "::/0" ]; + PersistentKeepalive = 10; + } + ]; + }; + + networks."20-wg0" = { + name = "wg0"; + routes = [{ + Destination = "2a03:4000:4d:5e:acab::/112"; + }]; + linkConfig.RequiredForOnline = false; + }; + }; + + services.ndppd = { + enable = true; + proxies.ens3.rules."2a03:4000:4d:5e:acab::/112".method = "static"; + }; + system.stateVersion = "24.11"; home-manager.users.katja.home.stateVersion = "24.11"; };