feat: move wireguard module to nixos-extra-modules

2024-03-14 20:55:08 +01:00 · 2024-03-14 20:55:08 +01:00 · a4844807e6
commit a4844807e6
parent 621d725af3
27 changed files with 73 additions and 783 deletions
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -15,6 +15,7 @@
  boot.mode = "bios";

  users.groups.acme.members = ["nginx"];
+  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

@ -24,7 +25,7 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.meta.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
+  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -34,23 +34,12 @@
    };
  };

-  networking.nftables.firewall = {
-    zones = {
-      untrusted.interfaces = ["wan"];
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-    };
-    # Allow accessing nginx through the proxy
-    rules.proxy-sentinel-to-local = {
-      from = ["proxy-sentinel"];
-      to = ["local"];
-      allowedTCPPorts = [80 443];
-    };
-  };
+  networking.nftables.firewall.zones.untrusted.interfaces = ["wan"];

-  meta.wireguard.proxy-sentinel.server = {
+  wireguard.proxy-sentinel.server = {
    host = config.networking.fqdn;
    port = 51443;
    reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
-    openFirewallRules = ["untrusted-to-local"];
+    openFirewall = true;
  };
 }