about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2023-05-08 19:33:35 -0700
committerFranck Cuny <franck@fcuny.net>2023-05-08 19:33:35 -0700
commit4ec55bc970a48ef49763b6b4768da3ed95c71e0d (patch)
treeec7d019b2378d1127e41b76e2e3061e3f88b0d3d /modules
parentprofile/acme: default DNS provider is gandi (diff)
downloadworld-4ec55bc970a48ef49763b6b4768da3ed95c71e0d.tar.gz
modules/wireguard: move the module to the right location
Diffstat (limited to 'modules')
-rw-r--r--modules/private-wireguard.nix44
1 files changed, 44 insertions, 0 deletions
diff --git a/modules/private-wireguard.nix b/modules/private-wireguard.nix
new file mode 100644
index 0000000..d4ad676
--- /dev/null
+++ b/modules/private-wireguard.nix
@@ -0,0 +1,44 @@
+{ lib, hostname, config, self, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML;
+  secrets = config.age.secrets;
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile "${self}/configs/wireguard.toml");
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in
+{
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = secrets."wireguard_privatekey".path;
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList
+          (name: peer:
+            {
+              allowedIPs = [
+                "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+              ];
+              publicKey = peer.key;
+            } // lib.optionalAttrs (peer ? externalIp) {
+              endpoint = "${peer.externalIp}:${toString port}";
+            } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+              persistentKeepalive = 10;
+            })
+          otherPeers;
+      };
+    };
+  };
+}