set up birbs website

2025-11-24 18:27:08 +01:00 · 2025-11-24 18:27:08 +01:00 · 56c3c4c479
commit 56c3c4c479
parent 75212dff9c
8 changed files with 194 additions and 72 deletions
--- a/configs/services/wireguard_cube.nix
+++ b/configs/services/wireguard_cube.nix
@ -22,18 +22,50 @@ in {
      externalInterface = "eth0";
      internalInterfaces = [ "wg0" ];
    };
+
    # Open ports in the firewall
    firewall = {
      rejectPackets = true;
-      trustedInterfaces = [ "wg0" ];
+      trustedInterfaces = [ "wgbr" "wg0" ];
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 wg_port ];
    };

+    interfaces.wgbr.ipv4 = {
+      routes = [ ];
+      addresses = [
+        {
+          address = "10.8.2.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      address = "10.10.0.254";
+      interface = "eth0";
+    };
+
+    interfaces.eth0.ipv4 = {
+      routes = [
+        {
+          address = "10.10.0.0";
+          prefixLength = 16;
+          via = "10.10.0.254";
+        }
+      ];
+      addresses = [
+        {
+          address = "10.10.0.4";
+          prefixLength = 24;
+        }
+      ];
+    };
+
    wg-quick.interfaces = {
      wg0 = {
        # Determines the IP address and subnet of the client's end of the tunnel interface.
-        address = [ "10.8.0.1/16" ];
+        address = [ "10.8.0.1/24" ];
        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)

        # Path to the private key file (see sops).
@ -43,13 +75,13 @@ in {
        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
        postUp = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
        '';

        # Undo the above
        preDown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
        '';

        peers = [