NixOS/system/services/wireguard.nix

114 lines
3.1 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
...
}:
2024-06-23 20:01:24 +07:00
let
cfg = config.profile.services.wireguard;
externalInterface = config.profile.networking.externalInterface;
devices = [
{
name = "phone";
ip = "10.100.0.2";
secret = "wireguard/private_keys/phone";
publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
}
{
name = "laptop";
ip = "10.100.0.3";
secret = "wireguard/private_keys/laptop";
publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
}
];
serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
sopsFile = ../../secrets/wireguard.yaml;
inherit (lib) mkIf mergeAttrsList generators;
in
{
config = mkIf cfg.enable {
sops.secrets = mergeAttrsList (
[
{
"wireguard/private_keys/server" = {
inherit sopsFile;
};
}
]
++ (map (device: {
${device.secret} = {
inherit sopsFile;
};
}) devices)
2024-06-23 20:01:24 +07:00
);
sops.templates =
let
template =
{ privateKey, ip }:
2024-06-23 20:01:24 +07:00
generators.toINI ({ }) {
Interface = {
Address = "${ip}/32";
PrivateKey = privateKey;
DNS = "192.168.100.3";
};
Peer = {
PublicKey = serverPublicKey;
Endpoint = "vpn.tigor.web.id:51820";
AllowedIPs = "0.0.0.0/0, ::/0";
};
};
in
mergeAttrsList (
map (device: {
2024-06-23 20:01:24 +07:00
"wireguard/clients/${device.name}" = {
content = template {
privateKey = config.sops.placeholder.${device.secret};
ip = device.ip;
};
path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
owner = config.profile.user.name;
};
}) devices
2024-06-23 20:01:24 +07:00
);
networking = {
nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ 51820 ];
wireguard.interfaces = {
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/16" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;
peers = map (device: {
publicKey = device.publicKey;
allowedIPs = [ device.ip ];
}) devices;
2024-06-23 20:01:24 +07:00
};
};
};
};
}