NixOS/system/services/wireguard.nix

{ config, lib, pkgs, ... }:
let
  cfg = config.profile.services.wireguard;
  externalInterface = config.profile.networking.externalInterface;
  devices = [
    {
      name = "phone";
      ip = "10.100.0.2";
      secret = "wireguard/private_keys/phone";
      publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
    }
    {
      name = "laptop";
      ip = "10.100.0.3";
      secret = "wireguard/private_keys/laptop";
      publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
    }
  ];
  serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
  sopsFile = ../../secrets/wireguard.yaml;
  inherit (lib) mkIf mergeAttrsList generators;
in
{
  config = mkIf cfg.enable {
    sops.secrets = mergeAttrsList ([
      {
        "wireguard/private_keys/server" = { inherit sopsFile; };
      }
    ] ++
    (map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)
    );

    sops.templates =
      let
        template = { privateKey, ip }:
          generators.toINI ({ }) {
            Interface = {
              Address = "${ip}/32";
              PrivateKey = privateKey;
              DNS = "192.168.100.3";
            };

            Peer = {
              PublicKey = serverPublicKey;
              Endpoint = "vpn.tigor.web.id:51820";
              AllowedIPs = "0.0.0.0/0, ::/0";
            };
          };
      in
      mergeAttrsList (map
        (device: {
          "wireguard/clients/${device.name}" = {
            content = template {
              privateKey = config.sops.placeholder.${device.secret};
              ip = device.ip;
            };
            path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
            owner = config.profile.user.name;
          };
        })
        devices
      );

    networking = {
      nat = {
        enable = true;
        inherit externalInterface;
        internalInterfaces = [ "wg0" ];
      };
      firewall.allowedUDPPorts = [ 51820 ];

      wireguard.interfaces = {
        wg0 = {
          # Determines the IP address and subnet of the server's end of the tunnel interface.
          ips = [ "10.100.0.1/16" ];

          # The port that WireGuard listens to. Must be accessible by the client.
          listenPort = 51820;

          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
          '';

          # This undoes the above command
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
          '';

          privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;

          peers = map
            (device: {
              publicKey = device.publicKey;
              allowedIPs = [ device.ip ];
            })
            devices;
        };
      };
    };
  };
}
wireguard: added configuration 2024-06-23 20:01:24 +07:00			`{ config, lib, pkgs, ... }:`
			`let`
			`cfg = config.profile.services.wireguard;`
			`externalInterface = config.profile.networking.externalInterface;`
			`devices = [`
			`{`
			`name = "phone";`
			`ip = "10.100.0.2";`
			`secret = "wireguard/private_keys/phone";`
			`publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";`
			`}`
			`{`
			`name = "laptop";`
			`ip = "10.100.0.3";`
			`secret = "wireguard/private_keys/laptop";`
			`publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";`
			`}`
			`];`
			`serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";`
			`sopsFile = ../../secrets/wireguard.yaml;`
			`inherit (lib) mkIf mergeAttrsList generators;`
			`in`
			`{`
			`config = mkIf cfg.enable {`
			`sops.secrets = mergeAttrsList ([`
			`{`
			`"wireguard/private_keys/server" = { inherit sopsFile; };`
			`}`
			`] ++`
			`(map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)`
			`);`

			`sops.templates =`
			`let`
			`template = { privateKey, ip }:`
			`generators.toINI ({ }) {`
			`Interface = {`
			`Address = "${ip}/32";`
			`PrivateKey = privateKey;`
			`DNS = "192.168.100.3";`
			`};`

			`Peer = {`
			`PublicKey = serverPublicKey;`
			`Endpoint = "vpn.tigor.web.id:51820";`
			`AllowedIPs = "0.0.0.0/0, ::/0";`
			`};`
			`};`
			`in`
			`mergeAttrsList (map`
			`(device: {`
			`"wireguard/clients/${device.name}" = {`
			`content = template {`
			`privateKey = config.sops.placeholder.${device.secret};`
			`ip = device.ip;`
			`};`
			`path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";`
			`owner = config.profile.user.name;`
			`};`
			`})`
			`devices`
			`);`

			`networking = {`
			`nat = {`
			`enable = true;`
			`inherit externalInterface;`
			`internalInterfaces = [ "wg0" ];`
			`};`
			`firewall.allowedUDPPorts = [ 51820 ];`

			`wireguard.interfaces = {`
			`wg0 = {`
			`# Determines the IP address and subnet of the server's end of the tunnel interface.`
			`ips = [ "10.100.0.1/16" ];`

			`# The port that WireGuard listens to. Must be accessible by the client.`
			`listenPort = 51820;`

			`# This allows the wireguard server to route your traffic to the internet and hence be like a VPN`
			`# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients`
			`postSetup = ''`
			`${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE`
			`'';`

			`# This undoes the above command`
			`postShutdown = ''`
			`${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE`
			`'';`

			`privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;`

			`peers = map`
			`(device: {`
			`publicKey = device.publicKey;`
			`allowedIPs = [ device.ip ];`
			`})`
			`devices;`
			`};`
			`};`
			`};`
			`};`
			`}`