From e84e6dcf117080eaf7658b25fb20a9dc3b5d1cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sun, 24 Mar 2024 19:05:39 +0100 Subject: Add wireguard and more updates --- nixos/modules/wireguad.nix | 96 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 89 insertions(+), 7 deletions(-) (limited to 'nixos/modules/wireguad.nix') diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index 67bd8d5..d96fc9e 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -1,18 +1,100 @@ { config, lib, + pkgs, ... }: let - inherit (lib) mkEnableOption mkIf; - cnf = config.cynerd.wireguard; + inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; + inherit (config.networking) hostName; + endpoints = { + "lipwig" = "cynerd.cz"; + "spt-omnia" = "spt.cynerd.cz"; + "adm-omnia" = "adm.cynerd.cz"; + }; + is_endpoint = endpoints ? "${hostName}"; in { options = { - cynerd.wireguard = { - enable = mkEnableOption "Enable Wireguard"; - }; + cynerd.wireguard = mkEnableOption "Enable Wireguard"; }; - config = - mkIf cnf.enable { + config = mkIf config.cynerd.wireguard { + environment.systemPackages = [pkgs.wireguard-tools]; + systemd.network = { + netdevs."wg" = { + netdevConfig = { + Name = "wg"; + Kind = "wireguard"; + Description = "Personal Wireguard tunnel"; + MTUBytes = "1300"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg.key"; + }; + wireguardPeers = + [ + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.lipwig}:51820"; + AllowedIPs = ["0.0.0.0/0"]; + PublicKey = config.secrets.wireguardPubs.lipwig; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + { + wireguardPeerConfig = + { + Endpoint = "${endpoints.spt-omnia}:51820"; + AllowedIPs = [ + "${config.cynerd.hosts.wg.spt-omnia}/32" + "10.8.2.0/24" + ]; + PublicKey = config.secrets.wireguardPubs.spt-omnia; + } + // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + } + #{ + # wireguardPeerConfig = + # { + # Endpoint = "${endpoints.adm-omnia}:51820"; + # AllowedIPs = [ + # "${config.cynerd.hosts.wg.adm-omnia}/32" + # "10.8.3.0/24" + # ]; + # PublicKey = config.secrets.wireguardPubs.adm-omnia; + # } + # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); + #} + ] + ++ (optionals is_endpoint (mapAttrsToList (n: v: { + wireguardPeerConfig = { + AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32"; + PublicKey = v; + }; + }) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs))); + }; + networks."wg" = { + matchConfig.Name = "wg"; + networkConfig = { + Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; + IPForward = is_endpoint; + }; + routes = + (optional (hostName != "spt-omnia") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.spt-omnia; + Destination = "10.8.2.0/24"; + }; + }) + ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") { + routeConfig = { + Gateway = config.cynerd.hosts.wg.adm-omnia; + Destination = "10.8.3.0/24"; + }; + }); + }; }; + networking.firewall.allowedUDPPorts = [51820]; + }; } -- cgit v1.2.3