about summary refs log tree commit diff
path: root/nix
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-06-09 09:40:02 -0700
committerFranck Cuny <franck@fcuny.net>2022-06-09 10:59:05 -0700
commit6d25860b08178432a294197dd72eccaf733016d8 (patch)
tree47b04f7f14943df3260f788d2ffc6c21dd0914f9 /nix
parentref(profiles): get rid of all the profiles (diff)
downloadworld-6d25860b08178432a294197dd72eccaf733016d8.tar.gz
ref(nix): rename lib/ to nix/
Change-Id: If1e608b89b39bd5a53a37b873833a7ea881cb418
Reviewed-on: https://cl.fcuny.net/c/world/+/298
Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'nix')
-rw-r--r--nix/default.nix39
-rw-r--r--nix/private-wireguard.nix41
2 files changed, 80 insertions, 0 deletions
diff --git a/nix/default.nix b/nix/default.nix
new file mode 100644
index 0000000..8b46c58
--- /dev/null
+++ b/nix/default.nix
@@ -0,0 +1,39 @@
+{ inputs }:
+
+{
+  mkSystem =
+    { hostname
+    , system
+    }:
+    inputs.nixpkgs.lib.nixosSystem {
+      inherit system;
+      specialArgs = {
+        inherit inputs system hostname;
+      };
+      modules = [
+        ../modules
+        ../hosts/${hostname}
+        ./private-wireguard.nix
+        {
+          networking.hostName = hostname;
+          nixpkgs = {
+            config.allowUnfree = true;
+            overlays = [
+              inputs.emacs-overlay.overlay
+              inputs.nur.overlay
+              (final: prev: {
+                tools = {
+                  gerrit-hook = import ../tools/gerrit-hook final;
+                };
+              })
+            ];
+          };
+          # Add each input as a registry
+          nix.registry = inputs.nixpkgs.lib.mapAttrs'
+            (n: v:
+              inputs.nixpkgs.lib.nameValuePair (n) ({ flake = v; }))
+            inputs;
+        }
+      ];
+    };
+}
diff --git a/nix/private-wireguard.nix b/nix/private-wireguard.nix
new file mode 100644
index 0000000..706dfd8
--- /dev/null
+++ b/nix/private-wireguard.nix
@@ -0,0 +1,41 @@
+{ lib, hostname, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML fromJSON;
+  secrets = config.age.secrets;
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in {
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = secrets."wireguard_privatekey".path;
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList (name: peer:
+          {
+            allowedIPs = [
+              "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+            ];
+            publicKey = peer.key;
+          } // lib.optionalAttrs (peer ? externalIp) {
+            endpoint = "${peer.externalIp}:${toString port}";
+          } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+            persistentKeepalive = 10;
+          }) otherPeers;
+      };
+    };
+  };
+}