System/Thinknix: Configure wireguard using NixOS instead of docker container

2025-07-10 23:42:01 +02:00
parent 8a19d8ac31
commit 6e92e853ad
2 changed files with 42 additions and 3 deletions
--- a/system/thinknix/default.nix
+++ b/system/thinknix/default.nix
@ -21,7 +21,7 @@
    ../services/nginx-proxy-manager.nix
    ../services/portainer.nix
    ../services/whats-up-docker.nix
-    ../services/wireguard.nix
+    # ../services/wireguard.nix
  ];

  modules = {
@ -55,6 +55,43 @@
        67 # DHCP
      ];
    };
+
+    sops-nix.secrets.${username} = [
+      "wireguard-vps-private-key"
+    ];
+  };
+
+  networking.wireguard.interfaces."vps-wg-client" = {
+    ips = ["10.10.10.2/32"];
+    privateKeyFile = "${config.sops.secrets.wireguard-vps-private-key.path}";
+
+    # Create the depending network namespace
+    # preSetup = ''
+    #   ${pkgs.iproute2}/bin/ip netns add ${name}
+    # '';
+
+    # postSetup = ''
+    #   ${pkgs.iptables} -A FORWARD -i wg0-client -j ACCEPT
+    #   ${pkgs.iptables} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+    # '';
+    # postShutdown = ''
+    #   ${pkgs.iptables} -D FORWARD -i wg0-client -j ACCEPT
+    #   ${pkgs.iptables} -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+    # '';
+
+    peers = [
+      {
+        name = "chriphost-vps";
+        publicKey = "w/U8p9fizw0jk8PFaMZXV1N49Ws+q6mUHzNFYtoDTS8=";
+        endpoint = "vps.chriphost.de:51820";
+        allowedIPs = [
+          "10.10.10.0/24"
+        ];
+
+        # Keep this connection alive so the server can always reach us
+        persistentKeepalive = 25;
+      }
+    ];
  };

  services = {