diff options
| -rw-r--r-- | config/router.nix | 10 | ||||
| -rw-r--r-- | modules/mullvad.nix (renamed from modules/wireguard.nix) | 22 | ||||
| -rw-r--r-- | modules/nycmesh.nix | 39 |
3 files changed, 47 insertions, 24 deletions
diff --git a/config/router.nix b/config/router.nix index db02093..df1f931 100644 --- a/config/router.nix +++ b/config/router.nix @@ -2,13 +2,13 @@ let wan-dev = "bond0.10"; lan-dev = "bond0"; - wireguardPort = config.orbekk.wireguard.listenPort; + wireguardPorts = + [ config.orbekk.mullvad.listenPort config.orbekk.nycmesh.listenPort ]; mullvadMark = 30; nycmeshMark = 32; in { - orbekk.wireguard.enable = true; - orbekk.wireguard.enableMullvad = true; - orbekk.wireguard.enableNycmesh = true; + orbekk.mullvad.enable = true; + orbekk.nycmesh.enable = true; services.tftpd.enable = true; services.openntpd.enable = true; @@ -91,7 +91,7 @@ in { proto tcp dport ssh ACCEPT; proto (tcp udp) dport domain ACCEPT; proto tcp dport (http https) ACCEPT; - proto udp dport ${toString wireguardPort} ACCEPT; + proto udp dport (${lib.concatStringsSep " " (map toString wireguardPorts)}) ACCEPT; } interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" { diff --git a/modules/wireguard.nix b/modules/mullvad.nix index 0188d90..436a3b2 100644 --- a/modules/wireguard.nix +++ b/modules/mullvad.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: let - cfg = config.orbekk.wireguard; + cfg = config.orbekk.mullvad; in { options = { - orbekk.wireguard = { + orbekk.mullvad = { enable = lib.mkEnableOption "Enable VPN"; - enableMullvad = lib.mkEnableOption "Enable Mullvad"; - enableNycmesh = lib.mkEnableOption "Enable NYC Mesh"; listenPort = lib.mkOption { type = lib.types.port; @@ -23,7 +21,7 @@ in networking.wireguard = { enable = true; - interfaces.mullvad = lib.mkIf cfg.enableMullvad { + interfaces.mullvad = { privateKeyFile = "/opt/secret/wireguard/mullvad.private"; ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; allowedIPsAsRoutes = false; @@ -36,20 +34,6 @@ in } ]; }; - - interfaces.nycmesh = lib.mkIf cfg.enableNycmesh { - privateKeyFile = "/opt/secret/wireguard/nycmesh.private"; - ips = [ "10.70.73.50/32" ]; - allowedIPsAsRoutes = false; - listenPort = cfg.listenPort; - peers = [ - { - endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822"; - publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ="; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - } - ]; - }; }; }; } diff --git a/modules/nycmesh.nix b/modules/nycmesh.nix new file mode 100644 index 0000000..e3a3f26 --- /dev/null +++ b/modules/nycmesh.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.nycmesh; +in +{ + options = { + orbekk.nycmesh = { + enable = lib.mkEnableOption "Enable VPN"; + + listenPort = lib.mkOption { + type = lib.types.port; + default = 40423; + description = "wireguard local port"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ]; + + networking.wireguard = { + enable = true; + interfaces.nycmesh = { + privateKeyFile = "/opt/secret/wireguard/nycmesh.private"; + ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; + allowedIPsAsRoutes = false; + listenPort = cfg.listenPort; + peers = [ + { + endpoint = "ca10-wireguard.nycmesh.net:51820"; + publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU="; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + } + ]; + }; + }; + }; +} |