115 lines
3.4 KiB
Nix
115 lines
3.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.profile.services.wireguard;
|
|
externalInterface = config.profile.networking.externalInterface;
|
|
devices = [
|
|
{
|
|
name = "phone";
|
|
ip = "10.100.0.2";
|
|
secret = "wireguard/private_keys/phone";
|
|
publicKey = "27GSz9iWqtg23sWcwIQI3VglNtE/RWykv+nZUrmHHxA=";
|
|
}
|
|
{
|
|
name = "laptop";
|
|
ip = "10.100.0.3";
|
|
secret = "wireguard/private_keys/laptop";
|
|
publicKey = "5nporvzbJtTQC9Hek8JBJNIF+wGlWUj4En2w9DrvaV0=";
|
|
}
|
|
];
|
|
serverPublicKey = "GDRUvnKUPNzwAloQ5fxvdHoVw4D1YbdCR0GyiOyyB38=";
|
|
sopsFile = ../../secrets/wireguard.yaml;
|
|
inherit (lib) mkIf mergeAttrsList generators;
|
|
in
|
|
{
|
|
config = mkIf cfg.enable {
|
|
sops.secrets = mergeAttrsList ([
|
|
{
|
|
"wireguard/private_keys/server" = { inherit sopsFile; };
|
|
}
|
|
] ++
|
|
(map (device: { ${device.secret} = { inherit sopsFile; }; }) devices)
|
|
);
|
|
|
|
sops.templates =
|
|
let
|
|
template = { privateKey, ip }:
|
|
# ''
|
|
# [Interface]
|
|
# Address = ${ip}/32
|
|
# PrivateKey = ${privateKey}
|
|
# DNS = 192.168.100.3
|
|
#
|
|
# [Peer]
|
|
# PublicKey = ${serverPublicKey}
|
|
# Endpoint = vpn.tigor.web.id:51820
|
|
# AllowedIPs = 0.0.0.0/0, ::/0
|
|
# '';
|
|
generators.toINI ({ }) {
|
|
Interface = {
|
|
Address = "${ip}/32";
|
|
PrivateKey = privateKey;
|
|
DNS = "192.168.100.3";
|
|
};
|
|
|
|
Peer = {
|
|
PublicKey = serverPublicKey;
|
|
Endpoint = "vpn.tigor.web.id:51820";
|
|
AllowedIPs = "0.0.0.0/0, ::/0";
|
|
};
|
|
};
|
|
in
|
|
mergeAttrsList (map
|
|
(device: {
|
|
"wireguard/clients/${device.name}" = {
|
|
content = template {
|
|
privateKey = config.sops.placeholder.${device.secret};
|
|
ip = device.ip;
|
|
};
|
|
path = "/nas/Syncthing/Sync/WireGuard/${device.name}.conf";
|
|
owner = config.profile.user.name;
|
|
};
|
|
})
|
|
devices
|
|
);
|
|
|
|
networking = {
|
|
nat = {
|
|
enable = true;
|
|
inherit externalInterface;
|
|
internalInterfaces = [ "wg0" ];
|
|
};
|
|
firewall.allowedUDPPorts = [ 51820 ];
|
|
|
|
wireguard.interfaces = {
|
|
wg0 = {
|
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
|
ips = [ "10.100.0.1/16" ];
|
|
|
|
# The port that WireGuard listens to. Must be accessible by the client.
|
|
listenPort = 51820;
|
|
|
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
|
postSetup = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
|
'';
|
|
|
|
# This undoes the above command
|
|
postShutdown = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o ${externalInterface} -j MASQUERADE
|
|
'';
|
|
|
|
privateKeyFile = config.sops.secrets."wireguard/private_keys/server".path;
|
|
|
|
peers = map
|
|
(device: {
|
|
publicKey = device.publicKey;
|
|
allowedIPs = [ device.ip ];
|
|
})
|
|
devices;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|