46 lines
1 KiB
Nix
46 lines
1 KiB
Nix
args@{ config, lib, pkgs, custom-utils, ... }:
|
|
|
|
let
|
|
ports = import ../ports.nix args;
|
|
listenPort = ports.wireguard-public-ip-tunnel.udp;
|
|
publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
|
|
in
|
|
{
|
|
sops.secrets = lib.listToAttrs (map
|
|
(name: lib.nameValuePair "wireguard_key_${name}" {
|
|
sopsFile = ../secrets.yaml;
|
|
})
|
|
[
|
|
"hetzner-ha"
|
|
]
|
|
);
|
|
|
|
#boot.kernel.sysctl = {
|
|
# "net.ipv4.conf.all.forwarding" = 1;
|
|
# "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
|
|
# "net.ipv4.conf.enp1s0.proxy_arp" = 1;
|
|
#};
|
|
|
|
networking = {
|
|
interfaces = {
|
|
hetzner-ha.proxyARP = true;
|
|
enp1s0.proxyARP = true;
|
|
};
|
|
firewall.allowedUDPPorts = [ listenPort ];
|
|
wireguard.interfaces = {
|
|
hetzner-ha = {
|
|
ips = [ ];
|
|
privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
|
|
inherit listenPort;
|
|
|
|
peers = [{
|
|
inherit publicKey;
|
|
persistentKeepalive = 25;
|
|
allowedIPs = [
|
|
"159.69.103.126/32"
|
|
];
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
}
|