xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

authentik yay

Browse source
This commit is contained in:
Lucy Hochkamp 2025-09-07 00:11:16 +02:00
parent d3a93fd115
commit f2fcbfb679
No known key found for this signature in database
34 changed files with 612 additions and 363 deletions
Download patch file Download diff file Expand all files Collapse all files

14
modules/services/wireguard.nix
View file

@ -30,10 +30,10 @@ let
(lib.optional (c?publicHostname) {
# if peer is publicly on the internet
AllowedIPs =
(lib.optionals (c.wg.server) [
(lib.optionals ( c?wg.server && c.wg.server) [
"${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
])
++ (lib.optionals (!c.wg.server) [
++ (lib.optionals (!c?wg.server || !c.wg.server) [
"${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
]);
Endpoint = "${c.publicHostname}:51820";
@ -90,9 +90,15 @@ in
name = (genUlaForHost monitoringUlaPrefix v.hostName);
}
) instanceConfigs);
networking.firewall.allowedUDPPorts = lib.optional wgServer [ 51820 ];
networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer [ 53 ];
networking.firewall.allowedUDPPorts = lib.optional wgServer 51820;
networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer 53;
systemd.network.netdevs."wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
Description = "main wireguard tunnel";
};
wireguardConfig = {
ListenPort = lib.mkIf wgServer 51820;
PrivateKeyFile = config.sops.secrets."wg/privkey".path; # TODO