diff options
author | sefidel <contact@sefidel.net> | 2024-04-05 08:42:22 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2024-04-06 00:04:13 +0900 |
commit | 128b2f3703dce93d8241165e003f2bfc42cd2548 (patch) | |
tree | c457764bc5f51bdd9f1948c317de639e60150183 /nixos/kanata/configuration.nix | |
parent | df7d9f91d484f1388b8929cd033b06d961ee8c3c (diff) | |
download | nixrc-128b2f3703dce93d8241165e003f2bfc42cd2548.tar.gz nixrc-128b2f3703dce93d8241165e003f2bfc42cd2548.zip |
feat(nixos/kanata): use wireguard for interlink
Diffstat (limited to 'nixos/kanata/configuration.nix')
-rw-r--r-- | nixos/kanata/configuration.nix | 66 |
1 files changed, 35 insertions, 31 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index 323f6ac..8a4d46c 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -96,9 +96,8 @@ in sops.secrets.grafana-admin-pass = { owner = "grafana"; }; sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; sops.secrets.nitter-account-jsonl = { }; - sops.secrets.interlink-password = { }; - sops.secrets.interlink-ovpn = { }; - sops.secrets.interlink-ovpn-creds = { }; + # sops.secrets.interlink-private-key = { }; + sops.secrets.interlink-wg-config = { }; sops.secrets.proton-private-key = { }; sops.secrets.attic-credentials = { }; # TODO: insecure? @@ -294,9 +293,8 @@ in privateNetwork = true; hostAddress = "172.16.1.1"; localAddress = "172.16.1.2"; - bindMounts."/run/secrets/interlink-password".hostPath = config.sops.secrets.interlink-password.path; - # bindMounts."/run/secrets/interlink-ovpn".hostPath = config.sops.secrets.interlink-ovpn.path; - # bindMounts."/run/secrets/interlink-ovpn-creds".hostPath = config.sops.secrets.interlink-ovpn-creds.path; + # bindMounts."/run/secrets/interlink-private-key".hostPath = config.sops.secrets.interlink-private-key.path; + bindMounts."/run/secrets/interlink-wg-config".hostPath = config.sops.secrets.interlink-wg-config.path; config = { config, pkgs, lib, ... }: { services.tailscale = { enable = true; @@ -306,35 +304,41 @@ in ]; }; - networking.openconnect.interfaces.openconnect0 = { - autoStart = true; + networking.firewall.allowedUDPPorts = [ 51820 ]; - gateway = "133.242.23.15"; # JP#11 - # gateway = "133.242.17.239"; # JP#1 - protocol = "anyconnect"; - user = "sk146241"; - passwordFile = "/run/secrets/interlink-password"; + networking.wg-quick.interfaces.wg0 = { + autostart = true; - extraOptions = { - servercert = "pin-sha256:42cxGem/A2lRRPLefN3tSlPHFD1mK0BLh7tbUJeXvhE="; # JP#11 - # servercert = "pin-sha256:OvJIFf7gPPbnR7tdG0Uj10GET5eynt+o5pfKBIEA+ws="; # JP#1 - }; - }; - systemd.services.openconnect-openconnect0 = { - serviceConfig = { - # XXX: On initial startup, the service would fail with - # 'No route to host'. - Restart = "on-failure"; - RestartSec = "5s"; - }; + configFile = "/run/secrets/interlink-wg-config"; + + # address = [ "***.***.***.***/32" ]; + # listenPort = 51820; + # + # mtu = 1350; + # + # privateKeyFile = "/run/secrets/interlink-private-key"; + # + # peers = [{ + # publicKey = "*******************************************"; + # # Exclude 100.64.0.0/10 + # allowedIPs = [ + # "0.0.0.0/0" + # # "0.0.0.0/2" + # # "64.0.0.0/3" + # # "96.0.0.0/6" + # # "100.0.0.0/10" + # # "100.128.0.0/9" + # # "101.0.0.0/8" + # # "102.0.0.0/7" + # # "104.0.0.0/5" + # # "112.0.0.0/4" + # # "128.0.0.0/1" + # ]; + # persistentKeepalive = 120; + # endpoint = "***.***.***.***:51840"; + # }]; }; - # services.openvpn.servers.interlink-sekai = { - # autoStart = true; - # config = "config /run/secrets/interlink-ovpn"; - # up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; - # down = "${pkgs.openresolv}/sbin/resolvconf -d $dev"; - # }; system.stateVersion = "24.05"; }; |