Add wg-access-server

2025-08-29 16:43:36 +02:00 · 2025-08-29 16:43:36 +02:00 · b614dcf1ec
commit b614dcf1ec
parent 0ebf24af44
3 changed files with 45 additions and 0 deletions
--- a/machines/aresix/configuration.nix
+++ b/machines/aresix/configuration.nix
@ -4,6 +4,7 @@
    ./modules/home-assistant
    ./modules/dyndns.nix
    ./modules/network.nix
+    ./modules/wireguard.nix
  ];

  services.logind.lidSwitch = "ignore";
--- a/machines/aresix/modules/reverse-proxy.nix
+++ b/machines/aresix/modules/reverse-proxy.nix
@ -27,6 +27,17 @@
          proxyWebsockets = true;
        };
      };
+      "wg.campares.duckdns.org" = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+        locations."/" = {
+          proxyPass = "http://[::1]:8000";
+          proxyWebsockets = true;
+        };
+      };
    };
  };
 }
--- a/machines/aresix/modules/wireguard.nix
+++ b/machines/aresix/modules/wireguard.nix
@ -0,0 +1,33 @@
+{config, ...}: {
+  clan.core.vars.generators.wg-access-server = {
+    prompts.admin-password = {
+      description = "Password for the wg-access-server admin user";
+      type = "hidden";
+    };
+
+    prompts.wireguard-private-key = {
+      description = "Wireguard private key wg-access-server will use";
+      type = "hidden";
+    };
+
+    files.secrets-file.secret = true;
+    script = ''
+      cat <<EOL > $out/secrets-file
+      adminPassword: $(<$prompts/admin-password)
+      wireguard:
+        privateKey: $(<$prompts/wireguard-private-key)
+      EOL
+    '';
+  };
+
+  services.wg-access-server = {
+    enable = true;
+
+    settings = {
+      httpHost = "::1";
+    };
+
+    secretsFile = config.clan.core.vars.generators.wg-access-server.files.secrets-file.path;
+  };
+  networking.firewall.allowedUDPPorts = [51820 53];
+}