Migrate to systemd-networkd
This commit is contained in:
parent
5da50e5290
commit
39ff4ee9e8
|
@ -105,7 +105,11 @@ with pkgs;
|
|||
|
||||
# Specify secrets
|
||||
age = {
|
||||
secrets.wireguard.file = secrets/wireguard.age;
|
||||
secrets.wireguard = {
|
||||
file = secrets/wireguard.age;
|
||||
owner = "systemd-network";
|
||||
group = "systemd-network";
|
||||
};
|
||||
secrets.syncthing.file = secrets/syncthing.age;
|
||||
secrets.msmtp.file = secrets/msmtp.age;
|
||||
secrets.gitea = {
|
||||
|
|
|
@ -3,23 +3,24 @@
|
|||
let wireguard_port = 1194;
|
||||
|
||||
in {
|
||||
# Assign a static IP
|
||||
# Enable systemd-networkd
|
||||
networking = {
|
||||
hostName = "zion";
|
||||
hostId = "4e74ea68";
|
||||
interfaces.eth0 = {
|
||||
useDHCP = false;
|
||||
ipv4.addresses = [{
|
||||
address = "192.168.13.2";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
};
|
||||
defaultGateway = {
|
||||
address = "192.168.13.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
nameservers = [ "51.158.108.203" "137.220.55.93" ];
|
||||
enableIPv6 = false;
|
||||
useDHCP = false;
|
||||
useNetworkd = true;
|
||||
dhcpcd.enable = false;
|
||||
};
|
||||
systemd.services."systemd-networkd-wait-online".enable = false;
|
||||
|
||||
# Assign a static IP
|
||||
systemd.network.networks."24-home" = {
|
||||
name = "eth0";
|
||||
matchConfig.Name = "eth0";
|
||||
address = [ "192.168.13.2/24" ];
|
||||
gateway = [ "192.168.13.1" ];
|
||||
dns = [ "51.158.108.203" "137.220.55.93" ];
|
||||
networkConfig.DNSSEC = "no";
|
||||
};
|
||||
|
||||
# Enable zeroconf
|
||||
|
@ -61,38 +62,47 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
# Enable NAT for wireguard
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
# Wireguard setup
|
||||
systemd.network.netdevs."wg0" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg0";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = wireguard_port;
|
||||
PrivateKeyFile = config.age.secrets.wireguard.path;
|
||||
};
|
||||
wireguardPeers = [
|
||||
# panacea
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
||||
AllowedIPs = [ "10.8.0.2/32" ];
|
||||
};
|
||||
}
|
||||
# caravanserai
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
||||
AllowedIPs = [ "10.8.0.3/32" ];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# Wireguard setup
|
||||
networking.wireguard.interfaces = {
|
||||
wg0 = {
|
||||
ips = [ "10.8.0.1/24" ];
|
||||
listenPort = wireguard_port;
|
||||
privateKeyFile = config.age.secrets.wireguard.path;
|
||||
peers = [
|
||||
# panacea
|
||||
{
|
||||
publicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
|
||||
allowedIPs = [ "10.8.0.2/32" ];
|
||||
}
|
||||
# caravanserai
|
||||
{
|
||||
publicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
|
||||
allowedIPs = [ "10.8.0.3/32" ];
|
||||
}
|
||||
];
|
||||
systemd.network.networks."wg0" = {
|
||||
matchConfig.Name = "wg0";
|
||||
networkConfig = {
|
||||
Address = "10.8.0.1/24";
|
||||
IPForward = true;
|
||||
IPMasquerade = "ipv4";
|
||||
};
|
||||
};
|
||||
|
||||
# DNS server with ad-block
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
servers = config.networking.nameservers;
|
||||
servers = config.systemd.network.networks."24-home".dns;
|
||||
extraConfig = ''
|
||||
domain-needed
|
||||
bogus-priv
|
||||
|
|
Loading…
Reference in New Issue