modules/wireguard: move the module to the right location

1 files changed, 44 insertions, 0 deletions

diff --git a/modules/private-wireguard.nix b/modules/private-wireguard.nix
new file mode 100644
index 0000000..d4ad676
--- /dev/null
+++ b/modules/private-wireguard.nix
@@ -0,0 +1,44 @@
+{ lib, hostname, config, self, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML;
+  secrets = config.age.secrets;
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile "${self}/configs/wireguard.toml");
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in
+{
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = secrets."wireguard_privatekey".path;
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList
+          (name: peer:
+            {
+              allowedIPs = [
+                "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+              ];
+              publicKey = peer.key;
+            } // lib.optionalAttrs (peer ? externalIp) {
+              endpoint = "${peer.externalIp}:${toString port}";
+            } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+              persistentKeepalive = 10;
+            })
+          otherPeers;
+      };
+    };
+  };
+}