foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 16:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
f07aa33220
nixos-config/hosts/plover/modules/services/wireguard.nix

89 lines
2.5 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
# Take note this service is heavily based on the hardware networking setup of
# this host so better stay focused on the hardware configuration on this host.
let
acmeName = "wireguard.${config.networking.domain}";
inherit (builtins) toString;
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = "wireguard0";
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/24" "${IPv6}/96" ];
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/24" "${IPv6}/96" ];
internalDomains = [
"~${config.networking.fqdn}"
];
in
{
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.firewall.allowedUDPPorts = [ wireguardPort ];
systemd.network = {
netdevs."99-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."plover/wireguard/private-key".path;
ListenPort = wireguardPort;
};
wireguardPeers = [
# Desktop workstation.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path;
AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses;
};
}
# Phone.
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," phonePeerAddresses;
};
}
];
};
networks."99-${wireguardIFName}" = {
matchConfig.Name = wireguardIFName;
networkConfig = {
DNS = with interfaces.internal; [
"127.0.0.1"
"::1"
];
Domains = lib.concatStringsSep " " internalDomains;
DNSDefaultRoute = false;
};
address = with interfaces.wireguard0; [
"${IPv4.address}/32"
"${IPv6.address}/128"
];
routes = [
{
routeConfig = {
Gateway = wireguardPeers.server.IPv4;
Destination = let
ip = lib.strings.splitString "." wireguardPeers.server.IPv4;
properRange = lib.lists.take 3 ip ++ [ "0" ];
ip' = lib.concatStringsSep "." properRange;
in "${ip'}/16";
};
}
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink