78 lines
2.1 KiB
Nix
78 lines
2.1 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
inherit (config.sops) secrets;
|
|
|
|
wgPort = 51820;
|
|
clientIP = "10.2.0.2";
|
|
serverIP = "146.70.198.2";
|
|
in {
|
|
networking.wireguard = {
|
|
enable = true;
|
|
|
|
interfaces = {
|
|
wg0 = {
|
|
interfaceNamespace = "wg";
|
|
ips = ["${clientIP}/32"];
|
|
|
|
listenPort = wgPort;
|
|
|
|
generatePrivateKeyFile = false;
|
|
privateKeyFile = secrets.vpn.path;
|
|
|
|
peers = [
|
|
{
|
|
publicKey = "aQ2NoOYEObG9tDMwdc4VxK6hjW+eA0PLfgbH7ffmagU=";
|
|
allowedIPs = ["0.0.0.0/0"];
|
|
endpoint = "${serverIP}:${toString wgPort}";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services = let
|
|
joinWgNamespace = {
|
|
bindsTo = ["netns@wg.service"];
|
|
requires = ["network-online.target"];
|
|
after = ["wireguard-wg0.service"];
|
|
unitConfig.JoinsNamespaceOf = "netns@wg.service";
|
|
serviceConfig.NetworkNamespacePath = "/var/run/netns/wg";
|
|
};
|
|
|
|
mkPortRoute = service: port: {
|
|
description = "Forward to ${service} in wireguard namespace";
|
|
requires = ["${service}.service"];
|
|
after = ["${service}.service"];
|
|
partOf = ["${service}.service"];
|
|
serviceConfig = {
|
|
Restart = "on-failure";
|
|
TimeoutStopSec = 300;
|
|
};
|
|
wantedBy = ["multi-user.target"];
|
|
script = ''
|
|
${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.iproute2}/bin/ip link set dev lo up
|
|
${pkgs.socat}/bin/socat tcp-listen:${port},fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.socat}/bin/socat STDIO "tcp-connect:${clientIP}:${port}"',nofork
|
|
'';
|
|
};
|
|
in {
|
|
# Create namespace for Wireguard
|
|
# This allows us to isolate specific programs to Wireguard
|
|
"netns@" = {
|
|
description = "%I network namespace";
|
|
before = ["network.target"];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
|
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
|
};
|
|
};
|
|
"wireguard-wg0".wants = ["netns@wg.service"];
|
|
|
|
"qbittorrent" = joinWgNamespace;
|
|
"qbittorrent-port-route" = mkPortRoute "qbittorrent" "8080";
|
|
};
|
|
}
|