Wireguard, but networkd
1 files changed, 29 insertions, 22 deletions
diff --git a/host/Rory-ovh/services/wireguard/wireguard.nix b/host/Rory-ovh/services/wireguard/wireguard.nix
index a770603..db73f3f 100644
--- a/host/Rory-ovh/services/wireguard/wireguard.nix
+++ b/host/Rory-ovh/services/wireguard/wireguard.nix
@@ -5,28 +5,35 @@
allowedUDPPorts = [ 51820 ];
};
- networking.wireguard.enable = true;
- networking.wireguard.interfaces = {
- wg0 = {
- ips = [ "10.100.0.1/24" ];
- listenPort = 51820;
-
- postSetup = ''
- ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp98s0f0 -j MASQUERADE
- '';
-
- postShutdown = ''
- ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp98s0f0 -j MASQUERADE
- '';
-
- privateKeyFile = "/data/secrets/wireguard-keys/private";
-
- peers = [
- {
- publicKey = "WLHEyWxEXRn/T0b9xk/8XJnuoCX0fXxWKHUjZ+AORGQ=";
- allowedIPs = [ "10.100.0.2/32" ];
- }
- ];
+ systemd.network = {
+ enable = true;
+ netdevs = {
+ "50-wg0" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "wg0";
+ MTUBytes = "1300";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = "/data/secrets/wireguard-keys/private";
+ ListenPort = 51820;
+ RouteTable = "main"; # wg-quick creates routing entries automatically but we must use use this option in systemd.
+ };
+ wireguardPeers = [
+ {
+ PublicKey = "WLHEyWxEXRn/T0b9xk/8XJnuoCX0fXxWKHUjZ+AORGQ=";
+ AllowedIPs = [ "10.100.0.2" ];
+ }
+ ];
+ };
+ };
+ networks.wg0 = {
+ matchConfig.Name = "wg0";
+ address = [ "10.100.0.1/24" ];
+ networkConfig = {
+ IPMasquerade = "ipv4";
+ IPForward = true;
+ };
};
};
}
|
