3 files changed,
17 insertions(+),
32 deletions(-)
Author:
Oleksandr Smirnov
olexsmir@gmail.com
Committed at:
2026-02-12 21:39:07 +0200
Parent:
7c73152
M
nix/hosts/thought/configuration.nix
··· 5 5 ./hardware-configuration.nix 6 6 ]; 7 7 8 - system.stateVersion = "24.05"; 8 + system.stateVersion = "25.11"; 9 9 10 10 swapDevices = [ 11 11 { ··· 24 24 25 25 networking = { 26 26 hostName = "vps"; 27 - useDHCP = true; 28 - # Interface names will be auto-detected in hardware-configuration.nix 29 - # Using generic DHCP setting 30 27 interfaces = { }; 31 28 firewall = { 32 29 enable = true; 33 30 allowedTCPPorts = [ 34 - 22 35 31 80 36 32 443 37 33 2222 ··· 39 35 }; 40 36 }; 41 37 42 - environment.systemPackages = with pkgs; [ 43 - neovim 44 - git 45 - htop 46 - tmux 47 - ]; 48 - 49 - age.identityPaths = [ "/keys.txt" ]; # TODO: i dont like that i overwrites literally everything 38 + age.identityPaths = [ "/keys.txt" ]; 50 39 51 40 services = { 52 41 caddy = { ··· 80 69 ]; 81 70 }; 82 71 }; 72 + 73 + environment.systemPackages = with pkgs; [ 74 + neovim 75 + git 76 + htop 77 + ]; 83 78 }
M
nix/modules/wireguard.nix
··· 1 1 { config, pkgs, ... }: 2 2 { 3 - boot.kernel.sysctl = { 4 - "net.ipv4.ip_forward" = 1; 5 - }; 6 3 7 - networking.firewall.allowedUDPPorts = [ 51820 ]; 4 + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; 5 + 8 6 networking.nat = { 9 7 enable = true; 10 8 externalInterface = "ens3"; 11 9 internalInterfaces = [ "wg0" ]; 12 10 }; 13 11 14 - age.secrets.wg-private-key = { 15 - file = ../secrets/wg-private-key.age; 16 - }; 12 + age.secrets.wg-private-key.file = ../secrets/wg-private-key.age; 17 13 14 + networking.firewall.allowedUDPPorts = [ 51820 ]; 18 15 networking.wireguard.interfaces.wg0 = { 19 16 ips = [ "10.100.0.1/24" ]; 20 17 listenPort = 51820; 21 18 privateKeyFile = config.age.secrets.wg-private-key.path; 22 19 23 - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN 24 - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients 25 - postSetup = '' 26 - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE 27 - ''; 28 - postShutdown = '' 29 - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE 30 - ''; 20 + postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE''; 21 + postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE''; 31 22 32 23 peers = [ 33 24 { 34 - # laptop 35 - publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM="; 25 + publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM="; # laptop 36 26 allowedIPs = [ "10.100.0.2/32" ]; 37 27 } 38 28 { 39 - # phone 40 - publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc="; 29 + publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc="; # phone 41 30 allowedIPs = [ "10.100.0.3/32" ]; 42 31 } 43 32 ];