86 lines
2.3 KiB
Nix
86 lines
2.3 KiB
Nix
{ inputs, outputs, lib, pkgs, config, ... }:
|
|
{
|
|
environment.systemPackages = with pkgs; [
|
|
wireguard-tools
|
|
];
|
|
|
|
# NOTE: key generation
|
|
# umask 077
|
|
# wg genkey > key
|
|
# wg pubkey < key > key.pub
|
|
|
|
# Server
|
|
age.secrets."wireguard.privateKey" = {
|
|
mode = "077";
|
|
rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/key.age";
|
|
generator = {
|
|
script = { lib, pkgs, file, ... }: ''
|
|
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
|
|
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
|
|
echo "$priv"
|
|
'';
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
|
systemd.network = {
|
|
netdevs = {
|
|
"50-wg0" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg0";
|
|
MTUBytes = "1300";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = config.age.secrets."wireguard.privateKey".path;
|
|
ListenPort = 51820;
|
|
};
|
|
wireguardPeers =
|
|
lib.mapAttrsToList
|
|
(host: peerConfig: {
|
|
wireguardPeerConfig = peerConfig;
|
|
})
|
|
{
|
|
cheetah = {
|
|
PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
|
|
AllowedIPs = [
|
|
"10.100.0.2/32"
|
|
"0.0.0.0/0"
|
|
# "::/0"
|
|
];
|
|
};
|
|
limonka = {
|
|
PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4=";
|
|
AllowedIPs = [
|
|
"10.100.0.3/32"
|
|
"192.168.1.123/32"
|
|
"0.0.0.0/0"
|
|
];
|
|
};
|
|
peshoDjam = {
|
|
PublicKey = "37QEe3Lsq5BTIzxqAh9z7clHYeaOaMH31oqi5YvAPBY=";
|
|
AllowedIPs = [
|
|
"10.100.0.4/32"
|
|
"192.168.1.134/32"
|
|
];
|
|
};
|
|
s42 = {
|
|
PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc=";
|
|
AllowedIPs = [
|
|
"10.100.0.5/32"
|
|
"0.0.0.0/0"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
networks.wg0 = {
|
|
matchConfig.Name = "wg0";
|
|
address = [ "10.100.0.1/24" ];
|
|
networkConfig = {
|
|
IPMasquerade = "ipv4";
|
|
IPForward = true;
|
|
};
|
|
};
|
|
};
|
|
}
|