blob: 69e1ccd6723a2e2943a12e9e735ba9d3ec6c7698 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
{
config,
lib,
pkgs,
...
}: let
inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
inherit (config.networking) hostName;
endpoints = ["lipwig" "spt-omnia" "adm-omnia"];
is_endpoint = any (v: v == hostName) endpoints;
in {
options = {
cynerd.wireguard = mkEnableOption "Enable Wireguard";
};
config = mkIf config.cynerd.wireguard {
environment.systemPackages = [pkgs.wireguard-tools];
systemd.network = {
netdevs."wg" = {
netdevConfig = {
Name = "wg";
Kind = "wireguard";
Description = "Personal Wireguard tunnel";
MTUBytes = "1300";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = "/run/secrets/wg.key";
};
wireguardPeers =
[
({
Endpoint = "cynerd.cz:51820";
AllowedIPs = ["0.0.0.0/0"];
PublicKey = config.secrets.wireguardPubs.lipwig;
}
// (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}))
({
Endpoint = "spt.cynerd.cz:51820";
AllowedIPs = [
"${config.cynerd.hosts.wg.spt-omnia}/32"
"10.8.2.0/24"
];
PublicKey = config.secrets.wireguardPubs.spt-omnia;
}
// (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}))
#{
# wireguardPeerConfig =
# {
# Endpoint = "adm.cynerd.cz:51820";
# AllowedIPs = [
# "${config.cynerd.hosts.wg.adm-omnia}/32"
# "10.8.3.0/24"
# ];
# PublicKey = config.secrets.wireguardPubs.adm-omnia;
# }
# // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
#}
]
++ (optionals is_endpoint (mapAttrsToList (n: v: {
AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
PublicKey = v;
}) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs)));
};
networks."wg" = {
matchConfig.Name = "wg";
networkConfig = {
Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
IPForward = is_endpoint;
#DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"];
#DNSSEC = false;
#Domains = mkIf (hostName != "dean") "~elektroline.cz";
};
routes =
(optional (hostName != "lipwig") {
# OpenVPN network
Gateway = config.cynerd.hosts.wg.lipwig;
Destination = "10.8.0.0/24";
Metric = 2048;
})
++ (optional (hostName != "spt-omnia") {
# SPT network
Gateway = config.cynerd.hosts.wg.spt-omnia;
Destination = "10.8.2.0/24";
Metric = 2048;
})
++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
# Adamkovi network
Gateway = config.cynerd.hosts.wg.adm-omnia;
Destination = "10.8.3.0/24";
Metric = 2048;
});
};
};
networking.firewall.allowedUDPPorts = [51820];
};
}
|