wireguard progress

sys/machines/rackserv/wireguard-server.nix

@@ -0,0 +1,120 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  networking.firewall = let
+    forwardPorts = {
+      "10.0.0.3" =
+        lib.range 23000 23010
+        |> map (n: {
+          protocols = ["tcp" "udp"];
+          port = n;
+        });
+      "10.0.0.2" =
+        [24001 24002 24003]
+        |> map (n: {
+          protocols = ["tcp"];
+          port = n;
+        });
+    };
+
+    b = builtins;
+    portsList = b.attrValues forwardPorts |> b.concatLists;
+    portsAndIpsList = lib.mapAttrsToList (n: v: map (x: x // {destinationIp = n;}) v) forwardPorts |> b.concatLists;
+  in {
+    allowedTCPPorts = b.filter (x: b.elem "tcp" x.protocols) portsList |> map (x: x.port);
+    allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port));
+    extraCommands =
+      portsAndIpsList
+      |> map (x: ''
+        ${x.protocols |> map (protocol: "iptables -t nat -A PREROUTING  -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
+        ${x.protocols |> map (protocol: "iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
+      '')
+      |> b.concatStringsSep "\n";
+
+    extraStopCommands =
+      portsAndIpsList
+      |> map (x: ''
+        ${x.protocols |> map (protocol: "iptables -t nat -D PREROUTING  -t nat -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
+        ${x.protocols |> map (protocol: "iptables -t nat -D POSTROUTING -t nat -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
+      '')
+      |> b.concatStringsSep "\n";
+
+    interfaces.wg0 = {
+      allowedUDPPorts = [53];
+      allowedTCPPorts = [53];
+    };
+  };
+
+  systemd.network.netdevs = {
+    "50-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+        MTUBytes = "1300";
+      };
+      wireguardConfig = {
+        ListenPort = 51820;
+        PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path;
+        RouteTable = "main";
+      };
+      wireguardPeers = [
+        {
+          # hopper
+          PublicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
+          AllowedIPs = ["10.0.0.2" "fd12:1e51:ca23::2"];
+        }
+        {
+          # nixdesk
+          PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q=";
+          AllowedIPs = ["10.0.0.3" "fd12:1e51:ca23::3"];
+        }
+      ];
+    };
+  };
+
+  systemd.network.networks.wg0 = {
+    matchConfig.Name = "wg0";
+    address = ["10.0.0.1/10" "fd12:1e51:ca23::1/64"];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = ["1.1.1.1" "8.8.8.8"];
+      interface = ["wg0"];
+      bind-interfaces = true;
+    };
+  };
+
+  # networking.wireguard = {
+  #   enable = true;
+  #   interfaces.wg0 = {
+  #     ips = ["10.0.0.0/10"];
+  #     listenPort = 51820;
+  #     postSetup = ''
+  #       ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+  #     '';
+  #     postShutdown = ''
+  #       ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+  #     '';
+  #
+  #     privateKeyFile = config.sops.secrets.wireguard-privatekey.path;
+  #
+  #     peers = [
+  #       {
+  #         # hopper
+  #         publicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
+  #         allowedIPs = ["10.0.0.1/32"];
+  #       }
+  #     ];
+  #   };
+  # };
+}