tunnel munin node traffic on lan through wireguard

2024-03-23 18:37:56 +01:00 · 2024-03-23 18:37:56 +01:00 · 7d1047e5fe
commit 7d1047e5fe
parent 017725d2cf
7 changed files with 87 additions and 26 deletions
--- a/nixos/agares/network.nix
+++ b/nixos/agares/network.nix
@ -63,6 +63,26 @@ in
            };
        }];
      };
+      "20-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path;
+          ListenPort = 51235;
+        };
+        wireguardPeers = lib.singleton {
+          wireguardPeerConfig = {
+            PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
+            AllowedIPs = [
+              "10.3.3.3/32"
+              "fd42:9c3b:f96d:121::3/128"
+              "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
+            ];
+          };
+        };
+      };
    };
    networks =
      let
@ -126,6 +146,17 @@ in
            }
          ];
        };
+        "30-wg0" = {
+          matchConfig.Name = "wg0";
+          address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
+          DHCP = "no";
+          networkConfig.IPv6AcceptRA = false;
+          linkConfig.RequiredForOnline = false;
+          routes = [
+            { routeConfig = { Destination = "10.3.3.1/24"; }; }
+            { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
+          ];
+        };
        "30-lan" = subnet "lan.10" "101" // {
          dhcpServerStaticLeases = [
            {
@ -237,6 +268,11 @@ in
    owner = "systemd-network";
  };

+  age.secrets."wg-privkey-wg0" = {
+    file = "${config.dadada.secrets.path}/agares-wg0-key.age";
+    owner = "systemd-network";
+  };
+
  boot.kernel.sysctl = {
    # Enable forwarding for interface
    "net.ipv4.conf.all.forwarding" = "1";