chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set up local VPN on wireguard network

Browse source
This commit is contained in:
Charlotte Van Petegem 2022-11-19 00:56:37 +01:00
parent d6619a35fa
commit 6ea7bced38
No known key found for this signature in database
GPG key ID: 019E764B7184435A
2 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/base/network/wireguard.nix
View file

@ -41,6 +41,32 @@ in
networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820; networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.trustedInterfaces = [ "wg0" ];
boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; }; boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
enable = true;
resolveLocalQueries = true;
settings = {
server = {
interface = [ "wg0" "127.0.0.1" "::1" ];
access-control = [
"127.0.0.0/8 allow"
"10.240.0.0/24 allow"
];
private-domain = "vpn";
local-zone = builtins.map (name: ''"${name}.vpn" redirect'') (builtins.attrNames data);
local-data = builtins.map (name: ''"${name}.vpn IN A ${data.${name}.ip}"'') (builtins.attrNames data);
};
forward-zone = {
name = ''"."'';
forward-addr = [
"1.1.1.1@853"
"1.0.0.1@853"
"2606:4700:4700::1111@853"
"2606:4700:4700::1001@853"
];
forward-tls-upstream = "yes";
};
};
};
systemd.network = { systemd.network = {
netdevs.wg0 = { netdevs.wg0 = {
enable = true; enable = true;
@ -81,6 +107,8 @@ in
enable = true; enable = true;
name = "wg0"; name = "wg0";
address = [ "${data.${config.networking.hostName}.ip}/32" ]; address = [ "${data.${config.networking.hostName}.ip}/32" ];
domains = [ "vpn" ];
dns = [ data.lasting-integrity.ip ];
routes = [{ routes = [{
routeConfig = routeConfig =
if config.chvp.base.network.wireguard.server then { if config.chvp.base.network.wireguard.server then {

2
modules/services/mail/default.nix
View file

@ -11,7 +11,6 @@ in
chvp.base.zfs.systemLinks = [ chvp.base.zfs.systemLinks = [
{ path = "/var/lib/dhparams"; type = "cache"; } { path = "/var/lib/dhparams"; type = "cache"; }
{ path = "/var/lib/dovecot"; type = "cache"; } { path = "/var/lib/dovecot"; type = "cache"; }
{ path = "/var/lib/knot-resolver"; type = "cache"; }
{ path = "/var/lib/opendkim"; type = "cache"; } { path = "/var/lib/opendkim"; type = "cache"; }
{ path = "/var/lib/postfix"; type = "cache"; } { path = "/var/lib/postfix"; type = "cache"; }
{ path = "/var/lib/redis-rspamd"; type = "cache"; } { path = "/var/lib/redis-rspamd"; type = "cache"; }
@ -21,6 +20,7 @@ in
enable = true; enable = true;
fqdn = "mail.vanpetegem.me"; fqdn = "mail.vanpetegem.me";
domains = [ "vanpetegem.me" "cvpetegem.be" "chvp.be" "accentor.tech" "toekomstlabo.be" ]; domains = [ "vanpetegem.me" "cvpetegem.be" "chvp.be" "accentor.tech" "toekomstlabo.be" ];
localDnsResolver = false;
loginAccounts = { loginAccounts = {
"charlotte@vanpetegem.me" = { "charlotte@vanpetegem.me" = {
hashedPasswordFile = config.age.secrets."passwords/services/mail/charlotte@vanpetegem.me".path; hashedPasswordFile = config.age.secrets."passwords/services/mail/charlotte@vanpetegem.me".path;