1 files changed, 89 insertions, 7 deletions

diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index 67bd8d5..d96fc9e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -1,18 +1,100 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
-  inherit (lib) mkEnableOption mkIf;
-  cnf = config.cynerd.wireguard;
+  inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
+  inherit (config.networking) hostName;
+  endpoints = {
+    "lipwig" = "cynerd.cz";
+    "spt-omnia" = "spt.cynerd.cz";
+    "adm-omnia" = "adm.cynerd.cz";
+  };
+  is_endpoint = endpoints ? "${hostName}";
 in {
   options = {
-    cynerd.wireguard = {
-      enable = mkEnableOption "Enable Wireguard";
-    };
+    cynerd.wireguard = mkEnableOption "Enable Wireguard";
   };
 
-  config =
-    mkIf cnf.enable {
+  config = mkIf config.cynerd.wireguard {
+    environment.systemPackages = [pkgs.wireguard-tools];
+    systemd.network = {
+      netdevs."wg" = {
+        netdevConfig = {
+          Name = "wg";
+          Kind = "wireguard";
+          Description = "Personal Wireguard tunnel";
+          MTUBytes = "1300";
+        };
+        wireguardConfig = {
+          ListenPort = 51820;
+          PrivateKeyFile = "/run/secrets/wg.key";
+        };
+        wireguardPeers =
+          [
+            {
+              wireguardPeerConfig =
+                {
+                  Endpoint = "${endpoints.lipwig}:51820";
+                  AllowedIPs = ["0.0.0.0/0"];
+                  PublicKey = config.secrets.wireguardPubs.lipwig;
+                }
+                // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            }
+            {
+              wireguardPeerConfig =
+                {
+                  Endpoint = "${endpoints.spt-omnia}:51820";
+                  AllowedIPs = [
+                    "${config.cynerd.hosts.wg.spt-omnia}/32"
+                    "10.8.2.0/24"
+                  ];
+                  PublicKey = config.secrets.wireguardPubs.spt-omnia;
+                }
+                // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            }
+            #{
+            #  wireguardPeerConfig =
+            #    {
+            #      Endpoint = "${endpoints.adm-omnia}:51820";
+            #      AllowedIPs = [
+            #        "${config.cynerd.hosts.wg.adm-omnia}/32"
+            #        "10.8.3.0/24"
+            #      ];
+            #      PublicKey = config.secrets.wireguardPubs.adm-omnia;
+            #    }
+            #    // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
+            #}
+          ]
+          ++ (optionals is_endpoint (mapAttrsToList (n: v: {
+            wireguardPeerConfig = {
+              AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
+              PublicKey = v;
+            };
+          }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
+      };
+      networks."wg" = {
+        matchConfig.Name = "wg";
+        networkConfig = {
+          Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
+          IPForward = is_endpoint;
+        };
+        routes =
+          (optional (hostName != "spt-omnia") {
+            routeConfig = {
+              Gateway = config.cynerd.hosts.wg.spt-omnia;
+              Destination = "10.8.2.0/24";
+            };
+          })
+          ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
+            routeConfig = {
+              Gateway = config.cynerd.hosts.wg.adm-omnia;
+              Destination = "10.8.3.0/24";
+            };
+          });
+      };
     };
+    networking.firewall.allowedUDPPorts = [51820];
+  };
 }