Get wireguard working on fortress

2025-08-03 16:15:04 -05:00 · 2025-08-03 16:15:04 -05:00 · b5c9b4b971
commit b5c9b4b971
parent e8201b278a
2 changed files with 73 additions and 10 deletions
--- a/systems/fortress/configuration.nix
+++ b/systems/fortress/configuration.nix
@ -72,13 +72,27 @@
      group = "haproxy";
    };

-    "dotspace/fortress/keys/wireguard.priv" = {
+    "dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
+    "dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+
+    "dotspace/fortress/keys/wireguard/private.key" = {
+      mode = "0640";
+      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
-    "dotspace/fortress/keys/tinc/rsa_key.priv" = {
+    "dotspace/fortress/keys/wireguard/lauren-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
-    "dotspace/fortress/keys/tinc/ed25519_key.priv" = {
+    "dotspace/fortress/keys/wireguard/ashley-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+    "dotspace/fortress/keys/wireguard/lauren-laptop.psk" = {
+      mode = "0640";
+      group = "systemd-network";
      sopsFile = ./secrets.yaml;
    };
  };
@ -179,14 +193,59 @@
      matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
      address = [ "10.132.86.139/16" ];
    };
+  };

-    networks."90-tinc" = {
-      matchConfig.Name = "tinc.dotspace";
-      address = [ "10.86.84.1/32" ];
-      routes = [ { Destination = "10.86.84.0/24"; } ];
+  ##############################################################################
+  # Wireguard
+
+  systemd.network.networks."90-wg.fortress" = {
+    matchConfig.Name = "wg.fortress";
+    address = [ "10.13.13.1/24" ];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
    };
  };

+  systemd.network.netdevs."50-wg.fortress" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg.fortress";
+      MTUBytes = "1300";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/private.key";
+      ListenPort = 51820; # TODO: This should've been 51280
+      RouteTable = "main";
+    };
+    wireguardPeers = [
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-phone.psk";
+        PublicKey = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
+        AllowedIPs = [ "10.13.13.3/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/ashley-phone.psk";
+        PublicKey = "AtmZMqvQgsRVq44kYdjOkC8ACmrw8MbDhyPSvtEbmlc=";
+        AllowedIPs = [ "10.13.13.4/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-laptop.psk";
+        PublicKey = "prhDYwUWhEc5X+zWHrqw79MFFvEN/qAAAZPq7vndhRE=";
+        AllowedIPs = [ "10.13.13.5/32" ];
+      }
+    ];
+  };
+
+  ##############################################################################
+  # Tinc
+
+  systemd.network.networks."90-tinc" = {
+    matchConfig.Name = "tinc.dotspace";
+    address = [ "10.86.84.1/32" ];
+    routes = [ { Destination = "10.86.84.0/24"; } ];
+  };
+
  services.tinc.networks.dotspace = {
    name = "fortress";
    ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";