NixOS/system/services/wireguard.nix

{ config, lib, pkgs, ... }:
let
  cfg = config.profile.services.wireguard;
  externalInterface = config.profile.networking.externalInterface;
  devices = [
    {
      name = "phone";
      ip = "10.100.0.2";
      secret = "wireguard/private_keys/phone";
      publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
    }
    {
      name = "laptop";
      ip = "10.100.0.3";
      secret = "wireguard/private_keys/laptop";
      publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
    }
  ];
  serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
  sopsFile = ../../secrets/wireguard.yaml;
  inherit (lib) mkIf mergeAttrsList generators;
in
{
  config = mkIf cfg.enable {
    sops.secrets = mergeAttrsList ([
      {
        "wireguard/private_keys/server" = { inherit sopsFile; };
      }
    ] ++
    (map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)
    );

    sops.templates =
      let
        template = { privateKey, ip }:
          # ''
          #   [Interface]
          #   Address = ${ip}/32
          #   PrivateKey = ${privateKey}
          #   DNS = 192.168.100.3
          #
          #   [Peer]
          #   PublicKey = ${serverPublicKey}
          #   Endpoint = vpn.tigor.web.id:51820
          #   AllowedIPs = 0.0.0.0/0, ::/0
          # '';
          generators.toINI ({ }) {
            Interface = {
              Address = "${ip}/32";
              PrivateKey = privateKey;
              DNS = "192.168.100.3";
            };

            Peer = {
              PublicKey = serverPublicKey;
              Endpoint = "vpn.tigor.web.id:51820";
              AllowedIPs = "0.0.0.0/0, ::/0";
            };
          };
      in
      mergeAttrsList (map
        (device: {
          "wireguard/clients/${device.name}" = {
            content = template {
              privateKey = config.sops.placeholder.${device.secret};
              ip = device.ip;
            };
            path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
            owner = config.profile.user.name;
          };
        })
        devices
      );

    networking = {
      nat = {
        enable = true;
        inherit externalInterface;
        internalInterfaces = [ "wg0" ];
      };
      firewall.allowedUDPPorts = [ 51820 ];

      wireguard.interfaces = {
        wg0 = {
          # Determines the IP address and subnet of the server's end of the tunnel interface.
          ips = [ "10.100.0.1/16" ];

          # The port that WireGuard listens to. Must be accessible by the client.
          listenPort = 51820;

          # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
          # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
          '';

          # This undoes the above command
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
          '';

          privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;

          peers = map
            (device: {
              publicKey = device.publicKey;
              allowedIPs = [ device.ip ];
            })
            devices;
        };
      };
    };
  };
}