From 8fdab961a3f5e86e700a982b073e80583ec14f75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kjetil=20=C3=98rbekk?= <kj@orbekk.com>
Date: Fri, 24 Nov 2017 13:24:53 -0500
Subject: punch some firewall holes

---
 config/vpn-server.nix | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

(limited to 'config/vpn-server.nix')

diff --git a/config/vpn-server.nix b/config/vpn-server.nix
index f2663d5..10b0c17 100644
--- a/config/vpn-server.nix
+++ b/config/vpn-server.nix
@@ -3,18 +3,24 @@ let
   port = (import ../data/aliases.nix).services.wireguard.port;
 in
 {
-  networking.wireguard = {
-    interfaces = {
-      wg0 = {
-        ips = [ "10.35.190.1/23" ];
-	privateKeyFile = "/opt/secret/wireguard/wg0.key";
-	listenPort = port;
-	peers = [
-	  {
-	    publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
-	    allowedIPs = ["0.0.0.0/0" "::/0"];
-	  }
-	];
+  networking = {
+    firewall.allowedTCPPorts = [ port ];
+    firewall.allowedUDPPorts = [ port ];
+
+    wireguard = {
+      interfaces = {
+        wg0 = {
+          ips = [ "10.35.190.1/23" ];
+          privateKeyFile = "/opt/secret/wireguard/wg0.key";
+          listenPort = port;
+          allowedIPsAsRoutes = false;
+          peers = [
+            {
+              publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
+              allowedIPs = ["0.0.0.0/0" "::/0"];
+            }
+          ];
+        };
       };
     };
   };
-- 
cgit v1.2.3