add sane

2023-09-20 10:07:34 +02:00
parent 1a32dd6b4c
commit 05d9aa0be2
2 changed files with 22 additions and 23 deletions
--- a/hosts/nb-01.cloonar.com/configuration.nix
+++ b/hosts/nb-01.cloonar.com/configuration.nix
@@ -165,29 +165,27 @@
       ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
     '';
  };
-  # networking.wireguard.interfaces = {
-  #   wg0 = {
-  #     # Determines the IP address and subnet of the client's end of the tunnel interface.
-  #     ips = [ "10.42.98.201/32" ];
-  #     listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-  #
-  #     # Path to the private key file.
-  #     #
-  #     # Note: The private key can also be included inline via the privateKey option,
-  #     # but this makes the private key world-readable; thus, using privateKeyFile is
-  #     # recommended.
-  #     privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
-  #
-  #     peers = [
-  #       {
-  #         publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
-  #         allowedIPs = [ "0.0.0.0/0" ];
-  #         endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
-  #         persistentKeepalive = 25;
-  #       }
-  #     ];
-  #   };
-  # };
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "10.42.98.201/32" ];
+      # Path to the private key file.
+      #
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
+
+      peers = [
+        {
+          publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
+          allowedIPs = [ "10.42.97.0/20" "10.14.0.0/16" "10.25.0.0/16" ];
+          endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };

  # Facial recognition "Windows hello"
  # services.ir-toggle.enable = true;