diff --git a/machines/aresix/configuration.nix b/machines/aresix/configuration.nix index 84c3b58..43e3d3e 100644 --- a/machines/aresix/configuration.nix +++ b/machines/aresix/configuration.nix @@ -4,6 +4,7 @@ ./modules/home-assistant ./modules/dyndns.nix ./modules/network.nix + ./modules/wireguard.nix ]; services.logind.lidSwitch = "ignore"; diff --git a/machines/aresix/modules/reverse-proxy.nix b/machines/aresix/modules/reverse-proxy.nix index dec4250..05458a6 100644 --- a/machines/aresix/modules/reverse-proxy.nix +++ b/machines/aresix/modules/reverse-proxy.nix @@ -27,6 +27,17 @@ proxyWebsockets = true; }; }; + "wg.campares.duckdns.org" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + proxy_buffering off; + ''; + locations."/" = { + proxyPass = "http://[::1]:8000"; + proxyWebsockets = true; + }; + }; }; }; } diff --git a/machines/aresix/modules/wireguard.nix b/machines/aresix/modules/wireguard.nix new file mode 100644 index 0000000..1c5b5ef --- /dev/null +++ b/machines/aresix/modules/wireguard.nix @@ -0,0 +1,33 @@ +{config, ...}: { + clan.core.vars.generators.wg-access-server = { + prompts.admin-password = { + description = "Password for the wg-access-server admin user"; + type = "hidden"; + }; + + prompts.wireguard-private-key = { + description = "Wireguard private key wg-access-server will use"; + type = "hidden"; + }; + + files.secrets-file.secret = true; + script = '' + cat < $out/secrets-file + adminPassword: $(<$prompts/admin-password) + wireguard: + privateKey: $(<$prompts/wireguard-private-key) + EOL + ''; + }; + + services.wg-access-server = { + enable = true; + + settings = { + httpHost = "::1"; + }; + + secretsFile = config.clan.core.vars.generators.wg-access-server.files.secrets-file.path; + }; + networking.firewall.allowedUDPPorts = [51820 53]; +}