33 lines
1,020 B
Nix
33 lines
1,020 B
Nix
{config, ...}: let
|
|
secrets = config.services.secrets.secrets;
|
|
data = import ../../../data/chaos_wireguard_internal.nix {};
|
|
in {
|
|
networking.firewall.trustedInterfaces = ["wg0"];
|
|
networking.wg-quick.interfaces = {
|
|
wg0 = {
|
|
autostart = false;
|
|
address = ["${data.hosts.lappy-t495.ip}/32"];
|
|
privateKeyFile = "${secrets.wg_priv.path}";
|
|
|
|
peers = [
|
|
# hetzner-vm
|
|
{
|
|
publicKey = "${data.hosts.hetzner-vm.public}";
|
|
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
|
|
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
|
|
endpoint = "${data.hosts.hetzner-vm.endpoint}";
|
|
persistentKeepalive = 25;
|
|
}
|
|
# vault
|
|
{
|
|
publicKey = "${data.hosts.vault.public}";
|
|
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
|
|
allowedIPs = ["${data.hosts.vault.ip}/32"];
|
|
endpoint = "${data.hosts.vault.endpoint}";
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|