Allow all IPs for wireguard interface without routing them

2024-02-04 20:12:00 +01:00 · 2024-02-04 20:12:00 +01:00 · 855d3ada0a
parent cb2ac4c8da
commit 855d3ada0a
2 changed files with 40 additions and 19 deletions
--- a/hosts/phoenix.lewd.wtf/networking.nix
+++ b/hosts/phoenix.lewd.wtf/networking.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, lib, ... }:
 {
  networking.useDHCP = false;
  networking.bridges = {
@ -27,20 +27,41 @@
    enableIPv6 = true;
  };

-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
-      privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
-      
-      peers = [
-        {
-          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-          presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
-          allowedIPs = [ "10.128.0.1" ];
-          endpoint = "134.19.179.213:1637";
-          persistentKeepalive = 25;
-        }
-      ];
+  boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      "10-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+          MTUBytes = "1300";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
+          ListenPort = 9918;
+        };
+        wireguardPeers = [
+          {
+            wireguardPeerConfig = {
+              PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+              PresharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
+              AllowedIPs = ["10.128.0.1/32"];
+              Endpoint = "134.19.179.213:1637";
+            };
+          }
+        ];
+      };
+    };
+    networks.wg0 = {
+      matchConfig.Name = "wg0";
+      address = [ "10.175.197.82/32" ];
+      DHCP = "no";
+      dns = [ "10.128.0.1" ];
+      gateway = [ "10.128.0.1" ];
+      networkConfig = {
+        IPv6AcceptRA = false;
+      };
    };
  };
 }
--- a/hosts/phoenix.lewd.wtf/secrets.nix
+++ b/hosts/phoenix.lewd.wtf/secrets.nix
@ -11,14 +11,14 @@
  # Wireguard
  sops.secrets."services/wireguard/airvpn.private" = {
    mode = "0400";
-    owner = config.users.users.root.name;
-    group = config.users.users.root.group;
+    owner = config.users.users.systemd-network.name;
+    group = config.users.users.systemd-network.group;
    sopsFile = ./secrets/wireguard.yaml;
  };
  sops.secrets."services/wireguard/airvpn.psk" = {
    mode = "0400";
-    owner = config.users.users.root.name;
-    group = config.users.users.root.group;
+    owner = config.users.users.systemd-network.name;
+    group = config.users.users.systemd-network.group;
    sopsFile = ./secrets/wireguard.yaml;
  };
 }