blob: ca2881848cef9a7e9bd68cfba647afde05e9a025 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
inherit (config.networking) hostName;
endpoints = {
"lipwig" = "cynerd.cz";
"spt-omnia" = "spt.cynerd.cz";
"adm-omnia" = "adm.cynerd.cz";
};
is_endpoint = endpoints ? "${hostName}";
in {
options = {
cynerd.wireguard = mkEnableOption "Enable Wireguard";
};
config = mkIf config.cynerd.wireguard {
environment.systemPackages = [pkgs.wireguard-tools];
systemd.network = {
netdevs."wg" = {
netdevConfig = {
Name = "wg";
Kind = "wireguard";
Description = "Personal Wireguard tunnel";
MTUBytes = "1300";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = "/run/secrets/wg.key";
};
wireguardPeers =
[
{
wireguardPeerConfig =
{
Endpoint = "${endpoints.lipwig}:51820";
AllowedIPs = ["0.0.0.0/0"];
PublicKey = config.secrets.wireguardPubs.lipwig;
}
// (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
}
{
wireguardPeerConfig =
{
Endpoint = "${endpoints.spt-omnia}:51820";
AllowedIPs = [
"${config.cynerd.hosts.wg.spt-omnia}/32"
"10.8.2.0/24"
];
PublicKey = config.secrets.wireguardPubs.spt-omnia;
}
// (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
}
#{
# wireguardPeerConfig =
# {
# Endpoint = "${endpoints.adm-omnia}:51820";
# AllowedIPs = [
# "${config.cynerd.hosts.wg.adm-omnia}/32"
# "10.8.3.0/24"
# ];
# PublicKey = config.secrets.wireguardPubs.adm-omnia;
# }
# // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
#}
]
++ (optionals is_endpoint (mapAttrsToList (n: v: {
wireguardPeerConfig = {
AllowedIPs = "${config.cynerd.hosts.wg."${n}"}/32";
PublicKey = v;
};
}) (filterAttrs (n: _: ! endpoints ? "${n}") config.secrets.wireguardPubs)));
};
networks."wg" = {
matchConfig.Name = "wg";
networkConfig = {
Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
IPForward = is_endpoint;
};
routes =
(optional (hostName != "lipwig") {
# OpenVPN network
routeConfig = {
Gateway = config.cynerd.hosts.wg.lipwig;
Destination = "10.8.0.0/24";
Metric = 2048;
};
})
++ (optional (hostName != "spt-omnia") {
# SPT network
routeConfig = {
Gateway = config.cynerd.hosts.wg.spt-omnia;
Destination = "10.8.2.0/24";
Metric = 2048;
};
})
++ (optional (hostName != "adm-omnia" && hostName != "lipwig") {
# Adamkovi network
routeConfig = {
Gateway = config.cynerd.hosts.wg.adm-omnia;
Destination = "10.8.3.0/24";
Metric = 2048;
};
})
++ (optionals (hostName != "dean") [
# Elektroline
{
routeConfig = {
Gateway = config.cynerd.hosts.wg.dean;
Destination = "10.0.0.0/22";
Metric = 2048;
};
}
{
routeConfig = {
Gateway = config.cynerd.hosts.wg.dean;
Destination = "10.0.20.0/24";
Metric = 2048;
};
}
]);
};
};
networking.firewall.allowedUDPPorts = [51820];
};
}
|