rix101/machines/nixos/x86_64-linux/jeeves/wireguard.nix

112 lines
2.9 KiB
Nix
Raw Normal View History

{ inputs, outputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
# NOTE: key generation
# umask 077
# wg genkey > key
# wg pubkey < key > key.pub
# Server
age.secrets."wireguard.privateKey" = {
mode = "077";
rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/key.age";
generator = {
script = { lib, pkgs, file, ... }: /* bash */ ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
};
};
# Enable NAT
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Open ports in the firewall
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 51820 ];
};
systemd.network = {
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard.privateKey".path;
ListenPort = 51820;
};
wireguardPeers =
lib.mapAttrsToList
(host: peerConfig: peerConfig)
{
cheetah = {
PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
AllowedIPs = [
"10.100.0.2/32"
"0.0.0.0/0"
# "::/0"
];
};
limonka = {
PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4=";
AllowedIPs = [
"10.100.0.3/32"
"0.0.0.0/0"
];
};
peshoDjam = {
PublicKey = "37QEe3Lsq5BTIzxqAh9z7clHYeaOaMH31oqi5YvAPBY=";
AllowedIPs = [
"10.100.0.4/32"
"192.168.1.134/32"
];
};
s42 = {
PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc=";
AllowedIPs = [
"10.100.0.5/32"
"0.0.0.0/0"
];
};
a41 = {
PublicKey = "/YEBfjDO+CfmYOKg9pO//ZAZQNutAS5z/Ggt2pX2gn0=";
AllowedIPs = [
"10.100.0.6/32"
"0.0.0.0/0"
];
};
t410 = {
PublicKey = "YSTgtHXcvbCwYrnBCNujsTkLy+umVZWLGECtV88NIW0=";
AllowedIPs = [
"10.100.0.7/32"
"0.0.0.0/0"
];
};
};
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.100.0.1/24" ];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
}