aboutsummaryrefslogtreecommitdiff
path: root/nixos/modules/wireguad.nix
blob: 69e1ccd6723a2e2943a12e9e735ba9d3ec6c7698 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
  inherit (config.networking) hostName;
  endpoints = ["lipwig" "spt-omnia" "adm-omnia"];
  is_endpoint = any (v: v == hostName) endpoints;
in {
  options = {
    cynerd.wireguard = mkEnableOption "Enable Wireguard";
  };

  config = mkIf config.cynerd.wireguard {
    environment.systemPackages = [pkgs.wireguard-tools];
    systemd.network = {
      netdevs."wg" = {
        netdevConfig = {
          Name = "wg";
          Kind = "wireguard";
          Description = "Personal Wireguard tunnel";
          MTUBytes = "1300";
        };
        wireguardConfig = {
          ListenPort = 51820;
          PrivateKeyFile = "/run/secrets/wg.key";
        };
        wireguardPeers =
          [
            ({
                Endpoint = "cynerd.cz:51820";
                AllowedIPs = ["0.0.0.0/0"];
                PublicKey = config.secrets.wireguardPubs.lipwig;
              }
              // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}))
            ({
                Endpoint = "spt.cynerd.cz:51820";
                AllowedIPs = [
                  "${config.cynerd.hosts.wg.spt-omnia}/32"
                  "10.8.2.0/24"
                ];
                PublicKey = config.secrets.wireguardPubs.spt-omnia;
              }
              // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}))
            #{
            #  wireguardPeerConfig =
            #    {
            #      Endpoint = "adm.cynerd.cz:51820";
            #      AllowedIPs = [
            #        "${config.cynerd.hosts.wg.adm-omnia}/32"
            #        "10.8.3.0/24"
            #      ];
            #      PublicKey = config.secrets.wireguardPubs.adm-omnia;
            #    }
            #    // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
            #}
          ]
          ++ (optionals is_endpoint (mapAttrsToList (n: v: {
            AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
            PublicKey = v;
          }) (filterAttrs (n: _: all (v: v != n) endpoints) config.secrets.wireguardPubs)));
      };
      networks."wg" = {
        matchConfig.Name = "wg";
        networkConfig = {
          Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
          IPForward = is_endpoint;
          #DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"];
          #DNSSEC = false;
          #Domains = mkIf (hostName != "dean") "~elektroline.cz";
        };
        routes =
          (optional (hostName != "lipwig") {
            # OpenVPN network
            Gateway = config.cynerd.hosts.wg.lipwig;
            Destination = "10.8.0.0/24";
            Metric = 2048;
          })
          ++ (optional (hostName != "spt-omnia") {
            # SPT network
            Gateway = config.cynerd.hosts.wg.spt-omnia;
            Destination = "10.8.2.0/24";
            Metric = 2048;
          })
          ++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
            # Adamkovi network
            Gateway = config.cynerd.hosts.wg.adm-omnia;
            Destination = "10.8.3.0/24";
            Metric = 2048;
          });
      };
    };
    networking.firewall.allowedUDPPorts = [51820];
  };
}