diff options
author | Franck Cuny <franck@fcuny.net> | 2023-05-08 19:33:35 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2023-05-08 19:33:35 -0700 |
commit | 4ec55bc970a48ef49763b6b4768da3ed95c71e0d (patch) | |
tree | ec7d019b2378d1127e41b76e2e3061e3f88b0d3d /modules | |
parent | profile/acme: default DNS provider is gandi (diff) | |
download | world-4ec55bc970a48ef49763b6b4768da3ed95c71e0d.tar.gz |
modules/wireguard: move the module to the right location
Diffstat (limited to 'modules')
-rw-r--r-- | modules/private-wireguard.nix | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/modules/private-wireguard.nix b/modules/private-wireguard.nix new file mode 100644 index 0000000..d4ad676 --- /dev/null +++ b/modules/private-wireguard.nix @@ -0,0 +1,44 @@ +{ lib, hostname, config, self, ... }: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + inherit (builtins) readFile fromTOML; + secrets = config.age.secrets; + cfg = config.networking.private-wireguard; + port = 51871; + wgcfg = fromTOML (readFile "${self}/configs/wireguard.toml"); + allPeers = wgcfg.peers; + thisPeer = allPeers."${hostname}" or null; + otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers; +in +{ + options.networking.private-wireguard = { + enable = mkEnableOption "Enable private wireguard vpn connection"; + }; + + config = lib.mkIf cfg.enable { + networking = { + wireguard.interfaces.wg0 = { + listenPort = port; + privateKeyFile = secrets."wireguard_privatekey".path; + ips = [ + "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" + ]; + + peers = lib.mapAttrsToList + (name: peer: + { + allowedIPs = [ + "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}" + ]; + publicKey = peer.key; + } // lib.optionalAttrs (peer ? externalIp) { + endpoint = "${peer.externalIp}:${toString port}"; + } // lib.optionalAttrs (!(thisPeer ? externalIp)) { + persistentKeepalive = 10; + }) + otherPeers; + }; + }; + }; +} |