diff options
author | Franck Cuny <franck@fcuny.net> | 2022-06-09 09:40:02 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-06-09 10:59:05 -0700 |
commit | 6d25860b08178432a294197dd72eccaf733016d8 (patch) | |
tree | 47b04f7f14943df3260f788d2ffc6c21dd0914f9 /nix | |
parent | ref(profiles): get rid of all the profiles (diff) | |
download | world-6d25860b08178432a294197dd72eccaf733016d8.tar.gz |
ref(nix): rename lib/ to nix/
Change-Id: If1e608b89b39bd5a53a37b873833a7ea881cb418 Reviewed-on: https://cl.fcuny.net/c/world/+/298 Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'nix')
-rw-r--r-- | nix/default.nix | 39 | ||||
-rw-r--r-- | nix/private-wireguard.nix | 41 |
2 files changed, 80 insertions, 0 deletions
diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 0000000..8b46c58 --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,39 @@ +{ inputs }: + +{ + mkSystem = + { hostname + , system + }: + inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs system hostname; + }; + modules = [ + ../modules + ../hosts/${hostname} + ./private-wireguard.nix + { + networking.hostName = hostname; + nixpkgs = { + config.allowUnfree = true; + overlays = [ + inputs.emacs-overlay.overlay + inputs.nur.overlay + (final: prev: { + tools = { + gerrit-hook = import ../tools/gerrit-hook final; + }; + }) + ]; + }; + # Add each input as a registry + nix.registry = inputs.nixpkgs.lib.mapAttrs' + (n: v: + inputs.nixpkgs.lib.nameValuePair (n) ({ flake = v; })) + inputs; + } + ]; + }; +} diff --git a/nix/private-wireguard.nix b/nix/private-wireguard.nix new file mode 100644 index 0000000..706dfd8 --- /dev/null +++ b/nix/private-wireguard.nix @@ -0,0 +1,41 @@ +{ lib, hostname, config, ... }: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + inherit (builtins) readFile fromTOML fromJSON; + secrets = config.age.secrets; + cfg = config.networking.private-wireguard; + port = 51871; + wgcfg = fromTOML (readFile ./../configs/wireguard.toml); + allPeers = wgcfg.peers; + thisPeer = allPeers."${hostname}" or null; + otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers; +in { + options.networking.private-wireguard = { + enable = mkEnableOption "Enable private wireguard vpn connection"; + }; + + config = lib.mkIf cfg.enable { + networking = { + wireguard.interfaces.wg0 = { + listenPort = port; + privateKeyFile = secrets."wireguard_privatekey".path; + ips = [ + "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" + ]; + + peers = lib.mapAttrsToList (name: peer: + { + allowedIPs = [ + "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}" + ]; + publicKey = peer.key; + } // lib.optionalAttrs (peer ? externalIp) { + endpoint = "${peer.externalIp}:${toString port}"; + } // lib.optionalAttrs (!(thisPeer ? externalIp)) { + persistentKeepalive = 10; + }) otherPeers; + }; + }; + }; +} |