Add Public IP address through WireGuard

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
This commit is contained in:
Denis 'GNUtoo' Carikli 2023-09-12 21:27:01 +02:00
parent 31da868705
commit 495c347e77
Signed by: GNUtoo
GPG Key ID: 5F5DFCC14177E263
4 changed files with 68 additions and 4 deletions

2
.gitignore vendored
View File

@ -9,6 +9,7 @@ first-boot.sh
guix-commit.txt
id_ed25519
id_ed25519.pub
id_wireguard
index.html
install-sh
Makefile
@ -17,3 +18,4 @@ missing
mumble-vm-machine.scm
mumble-vm-system.scm
signing-key.pub
wireguard-post-up.sh

View File

@ -16,7 +16,8 @@ CLEANFILES = \
index.html \
mumble-vm.img \
mumble-vm-machine.scm \
mumble-vm-system.scm
mumble-vm-system.scm \
wireguard-post-up.sh
# We want to only update the image when guix commit changes. The trick
# to make that work is to only create or update a file when the revision
@ -53,7 +54,8 @@ IMAGE_SOURCE = \
mumble-vm-system.scm \
id_ed25519.pub \
Makefile \
signing-key.pub
signing-key.pub \
wireguard-post-up.sh
mumble-vm.img: $(IMAGE_SOURCE)
sudo install \

View File

@ -19,6 +19,7 @@
#:use-module (gnu services certbot)
#:use-module (gnu services ssh)
#:use-module (gnu services telephony)
#:use-module (gnu services vpn)
#:use-module (gnu services web)
#:use-module (guix build-system copy)
#:use-module (guix build-system gnu)
@ -70,6 +71,32 @@ the services after that.")
(home-page #f)
(license license:gpl3+)))
(define wireguard-post-up-fixups
(package
(name "wireguard-post-up-fixups")
(version "0.1")
(source (local-file "wireguard-post-up.sh" ))
(build-system gnu-build-system)
(arguments
(list #:tests? #f ;no tests
#:phases
#~(modify-phases
%standard-phases
(delete 'build)
(delete 'configure)
(replace 'install
(lambda _
(chmod "wireguard-post-up.sh" #o755)
(install-file
"wireguard-post-up.sh"
(string-append (string-append #$output "/bin"))))))))
(synopsis "Script to fixup the Wireguard interface(s).")
(description
"Currently, the wireguard-post-up.sh script sets up the interface
MTU.")
(home-page #f)
(license license:gpl3+)))
(define-public %nginx-deploy-hook
(program-file
"nginx-deploy-hook"
@ -82,6 +109,9 @@ the services after that.")
(kill nginx-pid SIGHUP)
(kill mumble-server-pid SIGUSR1))))))
(define-public %wireguard-post-up
(list "/run/current-system/profile/bin/wireguard-post-up.sh"))
(define mumble-vm-operating-system
(operating-system
(bootloader (bootloader-configuration
@ -107,7 +137,8 @@ the services after that.")
net-tools
nmon
openssh-sans-x
website)
website
wireguard-post-up-fixups)
%base-packages))
(services
(append
@ -195,7 +226,22 @@ https://DOMAIN/
`(("root" , (local-file "id_ed25519.pub"))
("gnutoo" ,(local-file "id_ed25519.pub"))))))
;; Unattended Upgrades
(service unattended-upgrade-service-type))
(service unattended-upgrade-service-type)
(service wireguard-service-type
(wireguard-configuration
(addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128"))
(dns '("79.143.250.1" "79.143.250.2"
"2001:678:938::53:1" "2001:678:938::53:2"))
(port 0)
(post-up %wireguard-post-up)
(private-key (local-file "id_wireguard"))
(peers
(list
(wireguard-peer
(name "stephanie.franciliens.net")
(endpoint "stephanie.franciliens.net:51820")
(public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=")
(allowed-ips '("0.0.0.0/0" "::/0"))))))))
(modify-services
%base-services
(guix-service-type config => (guix-configuration

14
wireguard-post-up.sh.tmpl Normal file
View File

@ -0,0 +1,14 @@
#!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
set -e
ip link set dev wg0 mtu 1380