rix101/hosts/nixos/x86_64-linux/jeeves/wireguard.nix
reo101 2941536b80
refactor(flake)!: export packages using a flake module
Also stop passing `outputs` around, prefer `inputs.self`
Also put all `auto_` in `readOnly` `internal` options
- `autoModules`, `autoConfigurations` and `autoPackages`
Do not export packages as overlay (causes an infinite recursion)
- this is documented on the two places it has effect on
-- in `./overlays/default.nix` and `./modules/flake/configurations.nix`
-- in `autoConfigurations` we manually extend `pkgs` with the flake packages
Allow packages to say what `systems` they are compatible with
- See `./pkgs/swww/systems.nix` - disabled for all systems
- See `./pkgs/pngpaste/systems.nix` - enabled only for `darwin` targets
2024-07-29 01:54:22 +03:00

111 lines
2.9 KiB
Nix

{ inputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
# NOTE: key generation
# umask 077
# wg genkey > key
# wg pubkey < key > key.pub
# Server
age.secrets."wireguard.privateKey" = {
mode = "077";
rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/key.age";
generator = {
script = { lib, pkgs, file, ... }: /* bash */ ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
};
};
# Enable NAT
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Open ports in the firewall
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 51820 ];
};
systemd.network = {
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard.privateKey".path;
ListenPort = 51820;
};
wireguardPeers =
lib.mapAttrsToList
(host: peerConfig: peerConfig)
{
cheetah = {
PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
AllowedIPs = [
"10.100.0.2/32"
"0.0.0.0/0"
# "::/0"
];
};
limonka = {
PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4=";
AllowedIPs = [
"10.100.0.3/32"
"0.0.0.0/0"
];
};
peshoDjam = {
PublicKey = "37QEe3Lsq5BTIzxqAh9z7clHYeaOaMH31oqi5YvAPBY=";
AllowedIPs = [
"10.100.0.4/32"
"192.168.1.134/32"
];
};
s42 = {
PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc=";
AllowedIPs = [
"10.100.0.5/32"
"0.0.0.0/0"
];
};
a41 = {
PublicKey = "/YEBfjDO+CfmYOKg9pO//ZAZQNutAS5z/Ggt2pX2gn0=";
AllowedIPs = [
"10.100.0.6/32"
"0.0.0.0/0"
];
};
t410 = {
PublicKey = "YSTgtHXcvbCwYrnBCNujsTkLy+umVZWLGECtV88NIW0=";
AllowedIPs = [
"10.100.0.7/32"
"0.0.0.0/0"
];
};
};
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.100.0.1/24" ];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
}