MaloVPN

Running in the cloud. To let a host access the VPN you need to do the following:

• generate a wireguard keypair
• add the host to ./machines/modules/malobeo/peers.nix
• enable the malovpn module on the host

Generate Wireguard keys

Enter nix shell for wg commands nix-shell -p wireguard-tools

umask 077
wg genkey > wg.private
wg pubkey < wg.private > wg.pub

Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.

Add host to peers.nix

peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.

• Add your host to /machines/modules/malobeo/peers.nix
• Set the role to "client"
• choose a ip address as 'address' that is not taken already
• set allowedIPs as the others, except we want to limit this host to only access certain peers
• Add your public Key here as string

After that commit your changes and either open a PR or push directly to master
Example:

"celine" = {
  role = "client";
  address = [ "10.100.0.2/24" ];
  allowedIPs = [ "10.100.0.0/24" ];
  publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};

Enable MaloVPN on Host

Either you configure wireguard manually or use the malobeo vpn module
The 'name' must match your hosts name in peers.nix:

sops.secrets.private_key = {};

imports = [
  malobeo.nixosModules.malobeo.vpn
];

services.malobeo.vpn = {
  enable = true;
  name = "celine";
  privateKeyFile = config.sops.secrets.private_key.path;
};

After a rebuild-switch you should be able to ping the vpn server 10.100.0.1. If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist.