2024-10-21 12:31:30 +07:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}:
|
2024-06-23 20:01:24 +07:00
|
|
|
let
|
|
|
|
cfg = config.profile.services.wireguard;
|
|
|
|
externalInterface = config.profile.networking.externalInterface;
|
|
|
|
devices = [
|
|
|
|
{
|
|
|
|
name = "phone";
|
|
|
|
ip = "10.100.0.2";
|
|
|
|
secret = "wireguard/private_keys/phone";
|
|
|
|
publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "laptop";
|
|
|
|
ip = "10.100.0.3";
|
|
|
|
secret = "wireguard/private_keys/laptop";
|
|
|
|
publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
|
|
|
|
sopsFile = ../../secrets/wireguard.yaml;
|
|
|
|
inherit (lib) mkIf mergeAttrsList generators;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
config = mkIf cfg.enable {
|
2024-10-21 12:31:30 +07:00
|
|
|
sops.secrets = mergeAttrsList (
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"wireguard/private_keys/server" = {
|
|
|
|
inherit sopsFile;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
]
|
|
|
|
++ (map (device: {
|
|
|
|
${device.secret} = {
|
|
|
|
inherit sopsFile;
|
|
|
|
};
|
|
|
|
}) devices)
|
2024-06-23 20:01:24 +07:00
|
|
|
);
|
|
|
|
|
|
|
|
sops.templates =
|
|
|
|
let
|
2024-10-21 12:31:30 +07:00
|
|
|
template =
|
|
|
|
{ privateKey, ip }:
|
2024-06-23 20:01:24 +07:00
|
|
|
generators.toINI ({ }) {
|
|
|
|
Interface = {
|
|
|
|
Address = "${ip}/32";
|
|
|
|
PrivateKey = privateKey;
|
|
|
|
DNS = "192.168.100.3";
|
|
|
|
};
|
|
|
|
|
|
|
|
Peer = {
|
|
|
|
PublicKey = serverPublicKey;
|
|
|
|
Endpoint = "vpn.tigor.web.id:51820";
|
|
|
|
AllowedIPs = "0.0.0.0/0, ::/0";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
2024-10-21 12:31:30 +07:00
|
|
|
mergeAttrsList (
|
|
|
|
map (device: {
|
2024-06-23 20:01:24 +07:00
|
|
|
"wireguard/clients/${device.name}" = {
|
|
|
|
content = template {
|
|
|
|
privateKey = config.sops.placeholder.${device.secret};
|
|
|
|
ip = device.ip;
|
|
|
|
};
|
|
|
|
path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
|
|
|
|
owner = config.profile.user.name;
|
|
|
|
};
|
2024-10-21 12:31:30 +07:00
|
|
|
}) devices
|
2024-06-23 20:01:24 +07:00
|
|
|
);
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
nat = {
|
|
|
|
enable = true;
|
|
|
|
inherit externalInterface;
|
|
|
|
internalInterfaces = [ "wg0" ];
|
|
|
|
};
|
|
|
|
firewall.allowedUDPPorts = [ 51820 ];
|
|
|
|
|
|
|
|
wireguard.interfaces = {
|
|
|
|
wg0 = {
|
|
|
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
|
|
|
ips = [ "10.100.0.1/16" ];
|
|
|
|
|
|
|
|
# The port that WireGuard listens to. Must be accessible by the client.
|
|
|
|
listenPort = 51820;
|
|
|
|
|
|
|
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
|
|
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
|
|
|
postSetup = ''
|
|
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
|
|
|
'';
|
|
|
|
|
|
|
|
# This undoes the above command
|
|
|
|
postShutdown = ''
|
|
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
|
|
|
'';
|
|
|
|
|
|
|
|
privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;
|
|
|
|
|
2024-10-21 12:31:30 +07:00
|
|
|
peers = map (device: {
|
|
|
|
publicKey = device.publicKey;
|
|
|
|
allowedIPs = [ device.ip ];
|
|
|
|
}) devices;
|
2024-06-23 20:01:24 +07:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|