wireguard network

connection proxy->v6proxy works connection mail->v6proxy blocked
2026-03-21 21:27:14 +01:00 · 2026-03-21 21:27:14 +01:00 · 9c10e99502
commit 9c10e99502
parent 26d56a1dfe
7 changed files with 158 additions and 2 deletions
--- a/hosts/v6proxy/default.nix
+++ b/hosts/v6proxy/default.nix
@ -6,6 +6,12 @@
  ...
 }:
 {
+  sops = {
+    defaultSopsFile = ./secrets.sops.yml;
+    secrets = {
+      "wireguard-key".owner = "systemd-network";
+    };
+  };
  imports = [
    ./hardware-configuration.nix
    ./hetzner-disk.nix
@ -48,6 +54,37 @@
    nftables = {
      enable = true;
    };
+    wireguard = {
+      enable = true;
+      interfaces = {
+        sturauplink = {
+          listenPort = 51820;
+          privateKeyFile = config.sops.secrets."wireguard-key".path;
+          ips = [
+            "10.100.0.1/24"
+            "fd28:6691:1921:6299::1/64"
+          ];
+          peers = [
+            # mail.test.htw.stura-dresden.de
+            {
+              allowedIPs = [
+                "10.100.0.20/32"
+              ];
+              publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk=";
+            }
+            # proxy.htw.stura-dresden.de
+            {
+              allowedIPs = [
+                "10.100.0.2/32"
+                "fd28:6691:1921:6299::2/64"
+              ];
+              endpoint = "141.56.51.1:51820";
+              publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U=";
+            }
+          ];
+        };
+      };
+    };
  };

  # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -102,6 +139,7 @@
    };

  environment.systemPackages = with pkgs; [
+    wireguard-tools
  ];

  system.stateVersion = "25.11";