rix101/machines/nixos/x86_64-linux/jeeves/wireguard.nix

80 lines
2 KiB
Nix

{ inputs, outputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
# NOTE: key generation
# umask 077
# wg genkey > private
# wg pubkey < private > public
# Server
age.secrets."wireguard.private" = {
mode = "077";
rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/private.age";
generator = {
script = {lib, pkgs, file, ...}: ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
};
};
networking.firewall.allowedUDPPorts = [51820];
systemd.network = {
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard.private".path;
ListenPort = 51820;
};
wireguardPeers = [
{
# cheetah
wireguardPeerConfig = {
PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
AllowedIPs = [
"0.0.0.0/0"
# "::/0"
];
};
}
{
# limonka
wireguardPeerConfig = {
PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4=";
AllowedIPs = [
"0.0.0.0/0"
# "192.168.1.0/24"
];
};
}
{
# s42
wireguardPeerConfig = {
PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc=";
AllowedIPs = [
"0.0.0.0/0"
];
};
}
];
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = ["10.100.0.1/24"];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
}