From c60b82b3fc737833302684e4879a52d5dfcd1211 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Thu, 14 Apr 2022 13:48:26 +0200 Subject: [PATCH] Add wireguard tunnel, fix screens --- .../norman/.config/sway/config.d/screens.conf | 20 ++++ hosts/norman/configuration.nix | 7 ++ hosts/norman/wireguard.nix | 91 +++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 hosts/norman/.config/sway/config.d/screens.conf create mode 100644 hosts/norman/wireguard.nix diff --git a/hosts/norman/.config/sway/config.d/screens.conf b/hosts/norman/.config/sway/config.d/screens.conf new file mode 100644 index 00000000..03592514 --- /dev/null +++ b/hosts/norman/.config/sway/config.d/screens.conf @@ -0,0 +1,20 @@ +set $left 'Eizo Nanao Corporation EV2316W 87029015' +set $middle 'Samsung Electric Company SMBX2450L 0x00003231' +set $right 'Eizo Nanao Corporation EV2316W 39117013' + +output $left { + scale 1 + pos 0 0 + transform 270 +} + +output $middle { + scale 1 + pos 1080 600 +} + +output $right { + scale 1 + pos 3000 0 + transform 90 +} diff --git a/hosts/norman/configuration.nix b/hosts/norman/configuration.nix index e1ab70c7..b4b6f413 100644 --- a/hosts/norman/configuration.nix +++ b/hosts/norman/configuration.nix @@ -9,6 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./wireguard.nix ]; # Set your time zone. @@ -19,6 +20,12 @@ # replicates the default behaviour. networking.useDHCP = false; networking.interfaces.wlp5s0.useDHCP = true; + networking.firewall = { + allowedUDPPorts = [ + 51820 + 51821 + ]; # Clients and peers can use the same port, see listenport + }; services.tlp = { enable = true; diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix new file mode 100644 index 00000000..d90ee5e3 --- /dev/null +++ b/hosts/norman/wireguard.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +{ + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.0.0.13/32" + "fc00:200::13/128" + ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.0.0.0/24" + "192.168.50.0/24" + "192.168.200.0/24" + "10.20.30.0/24" + "fc00:200::/120" + "95.129.51.5" + "95.129.54.43" + "134.0.28.89" + ]; + + # Set this to the server IP and port. + endpoint = "vpn.aac1.dc.zone:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.7.0.21" + ]; + listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.7.0.0/24" + ]; + + # Set this to the server IP and port. + endpoint = "vpn.gssws.de:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + + }; + }; +} +