First wireguard config + wgautomesh

2025-11-06 19:44:32 +01:00 · 2025-11-06 19:44:32 +01:00 · b183796cac
commit b183796cac
parent bfd7541286
3 changed files with 147 additions and 8 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -12,6 +12,7 @@
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./node.nix
+    ./wgautomesh.nix
  ];

  programs.nix-ld.enable = true; # for vscode server
@ -114,12 +115,6 @@
  services.openssh.enable = true;
  services.openssh.settings.PasswordAuthentication = false;

-  # Open ports in the firewall.
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    22 # SSH
-  ];
-  # networking.firewall.allowedUDPPorts = [ ... ];

  services.unbound = {
    enable = true;
@ -140,7 +135,56 @@
    resolveLocalQueries = true;
  };
  services.resolved.enable = false;
+  
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.0.0.0/16" ];
+    listenPort = 19720;
+    privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
+    mtu = 1420;
+  };

+  filouterie.services.wgautomesh = {
+    enable = true;
+    interface = "wg0";
+    gossipPort = 1600;
+    peers = [
+      {
+        # Fifi
+        address = "10.0.1.1";
+	endpoint = "92.179.73.254:19720";
+	pubkey = "/TJVF6aLEvqngjd8Gq3QkH5esEQSIL+ryz/uKdJaZEQ=";
+      }
+    ];
+  };
+
+  system.activationScripts.generate_filouterie_wg_key = ''
+    if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
+      mkdir -p /var/lib/filouterie/wireguard-keys
+      (umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
+      echo "New Wireguard key was generated."
+      echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
+    fi
+  '';
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22 # SSH
+    ];
+    allowedUDPPorts = [
+      19720 #Wireguard
+    ];
+
+    extraCommands = ''
+      # Allow other nodes on VPN to access all ports
+      iptables -A INPUT -s 19720 -j ACCEPT
+    '';
+
+    extraStopCommands = ''
+      iptables -D INPUT -s 19720 -j ACCEPT
+    '';
+  };
  # Garbage collection to remove old NixOs iterations
  nix.gc = {
    automatic = true;