Add wireguard tunnel for hetzner ha ip

2023-06-23 18:02:06 +00:00 · 2023-06-23 18:02:06 +00:00 · 9966530d35
commit 9966530d35
parent 905c043b17
8 changed files with 150 additions and 2 deletions
--- a/hosts/magnesium/services/public-ip-tunnel.nix
+++ b/hosts/magnesium/services/public-ip-tunnel.nix
@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+let
+  listenPort = 51000;
+  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
+in
+{
+  sops.secrets = (
+    lib.listToAttrs (map
+      (name: lib.nameValuePair "wireguard_key_${name}" {
+        sopsFile = ../secrets.yaml;
+      })
+      [
+        "hetzner-ha"
+      ]
+    )
+  );
+
+  #boot.kernel.sysctl = {
+  #  "net.ipv4.conf.all.forwarding" = 1;
+  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
+  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
+  #};
+  networking.interfaces.hetzner-ha.proxyARP = true;
+  networking.interfaces.enp1s0.proxyARP = true;
+
+  networking.wireguard.interfaces = {
+    hetzner-ha = {
+      ips = [ ];
+      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
+      listenPort = listenPort;
+
+      peers = [{
+        publicKey = publicKey;
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "159.69.103.126/32"
+        ];
+      }];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+}