wireguard network

connection proxy->v6proxy works connection mail->v6proxy blocked
2026-03-21 21:27:14 +01:00 · 2026-03-21 21:27:14 +01:00 · 9c10e99502
commit 9c10e99502
parent 26d56a1dfe
7 changed files with 158 additions and 2 deletions
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@ -6,6 +6,12 @@
  ...
 }:
 {
+  sops = {
+    defaultSopsFile = ./secrets.sops.yml;
+    secrets = {
+      "wireguard-key".owner = "systemd-network";
+    };
+  };
  imports = [
    ./hardware-configuration.nix
    ./hetzner-disk.nix
@ -13,6 +19,7 @@

  networking = {
    hostName = "proxy";
+    nameservers = [ "141.56.51.1" ];
    interfaces.ens18.ipv4.addresses = [
      {
        address = "141.56.51.1";
@ -37,6 +44,30 @@
    nftables = {
      enable = true;
    };
+    wireguard = {
+      enable = true;
+      interfaces = {
+        sturauplink = {
+          privateKeyFile = config.sops.secrets."wireguard-key".path;
+          ips = [
+            "10.100.0.2/24"
+            "fd28:6691:1921:6299::2/64"
+          ];
+          listenPort = 51820;
+          peers = [
+            # mail.test.htw.stura-dresden.de
+            {
+              endpoint = "hetzner.test.htw.stura-dresden.de:51820";
+              allowedIPs = [
+                "10.100.0.0/24"
+              ];
+              persistentKeepalive = 30;
+              publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0=";
+            }
+          ];
+        };
+      };
+    };
  };

  # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -255,6 +286,7 @@
              proxy   IN      AAAA    2a01:4f8:1c19:96f8::1

              ; Auto-generated CNAME records for all subdomains pointing to proxy
+              hetzner.test IN A 178.104.18.93
              ${lib.foldlAttrs (
                prev: name: value:
                let