5 files changed, 82 insertions, 0 deletions

diff --git a/configs/wireguard.toml b/configs/wireguard.toml
new file mode 100644
index 0000000..0012ba9
--- /dev/null
+++ b/configs/wireguard.toml
@@ -0,0 +1,15 @@
+mask4 = 32
+subnet4 = "192.168.6"
+
+[peers.aptos]
+ipv4 = 110
+key = "DP3caAlh07OOU61u2L2QfEhakt/mVEGrMBVONNvpNhU="
+
+[peers.nas]
+ipv4 = 10
+key = "SFlgoY+fQDUnI2D6Xp3JhqFKWsZABqahCv8IgKPWizA="
+
+[peers.rtr]
+ipv4= 1
+key = "P4gxkIoQ9Ep6QqfTquJYbBkMPDJQkVE9v1eYh/uJwG8="
+
diff --git a/docs/wireguard.org b/docs/wireguard.org
new file mode 100644
index 0000000..154c159
--- /dev/null
+++ b/docs/wireguard.org
@@ -0,0 +1,21 @@
+#+TITLE: Configuration for wireguard
+
+* Creating the keys
+We need a key for the host:
+#+begin_src sh
+(umask 0077; wg genkey > peer_A.key)
+#+end_src
+
+Next we create the public key:
+#+begin_src sh
+wg pubkey < peer_A.key > peer_A.pub
+#+end_src
+
+Now we need to add the private key to the list of secrets:
+#+begin_src sh
+nix run github:ryantm/agenix -- -e secrets/network/<host name>/wireguard_privatekey.age
+#+end_src
+
+Once this is done, update [[file:~/workspace/world/configs/wireguard.toml][wireguard.toml]] to add the new peer with the public key.
+
+Once this is completed, we can delete the files =peer_A.key= and =peer_A.pub=.
diff --git a/hosts/aptos/default.nix b/hosts/aptos/default.nix
index 64da2a5..1e79543 100644
--- a/hosts/aptos/default.nix
+++ b/hosts/aptos/default.nix
@@ -32,6 +32,7 @@
   };
 
   networking.wireless.iwd.enable = true;
+  networking.private-wireguard.enable = true;
 
   services.thermald.enable = true;
 
diff --git a/lib/default.nix b/lib/default.nix
index c2866c9..fe43eb1 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -14,6 +14,7 @@
         inputs.agenix.nixosModules.age
         ../hosts/common
         ../hosts/${hostname}
+        ./private-wireguard.nix
         {
           networking.hostName = hostname;
           nixpkgs = {
diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix
new file mode 100644
index 0000000..e063f39
--- /dev/null
+++ b/lib/private-wireguard.nix
@@ -0,0 +1,44 @@
+{ lib, hostname, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML fromJSON;
+
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in {
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = let
+      age.secrets.wg-net.file = ../secrets/network/hostname/wireguard_privatekey.age;
+    in {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = "/run/agenix/wireguard_privatekey";
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList
+          (name: peer: {
+            allowedIPs = [
+              "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+            ];
+            publicKey = peer.key;
+          } // lib.optionalAttrs (peer ? externalIp) {
+            endpoint = "${peer.externalIp}:${toString port}";
+          } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+            persistentKeepalive = 10;
+          })
+          otherPeers;
+      };
+    };
+  };
+}