diff options
| author | Azat Bahawi <azat@bahawi.net> | 2024-03-31 21:29:27 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2024-03-31 21:29:27 +0300 |
| commit | 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 (patch) | |
| tree | f28beec29deeea36038615a8fb98a810891940b5 /modules/nixos/wireguard.nix | |
| parent | 4ad0c3afc1f6caf0c3f05f99a15b22178f2c190b (diff) | |
2024-03-31
Diffstat (limited to 'modules/nixos/wireguard.nix')
| -rw-r--r-- | modules/nixos/wireguard.nix | 75 |
1 files changed, 46 insertions, 29 deletions
diff --git a/modules/nixos/wireguard.nix b/modules/nixos/wireguard.nix index d05c6ae..f645a90 100644 --- a/modules/nixos/wireguard.nix +++ b/modules/nixos/wireguard.nix @@ -6,9 +6,11 @@ this, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.wireguard; -in { +in +{ options.nixfiles.modules.wireguard = { client = { enable = mkEnableOption "WireGuard client"; @@ -56,16 +58,20 @@ in { peers = mkOption { description = "List of peers."; type = with types; listOf attrs; - default = mapAttrsToList (_: attr: - with attr; { - inherit (wireguard) publicKey; - allowedIPs = with wireguard; [ - "${ipv4.address}/32" - "${ipv6.address}/128" - ]; - }) (filterAttrs (_: attr: - attr.hostname != this.hostname && hasAttr "wireguard" attr) - my.configurations); + default = + mapAttrsToList + ( + _: attr: with attr; { + inherit (wireguard) publicKey; + allowedIPs = with wireguard; [ + "${ipv4.address}/32" + "${ipv6.address}/128" + ]; + } + ) + ( + filterAttrs (_: attr: attr.hostname != this.hostname && hasAttr "wireguard" attr) my.configurations + ); }; }; @@ -105,13 +111,16 @@ in { (mkIf (cfg.client.enable || cfg.server.enable) { secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; - networking.firewall.trustedInterfaces = [cfg.interface]; + networking.firewall.trustedInterfaces = [ cfg.interface ]; }) (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ (with this.wireguard; { privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; - address = ["${ipv4.address}/16" "${ipv6.address}/16"]; + address = [ + "${ipv4.address}/16" + "${ipv6.address}/16" + ]; }) (with cfg.server; { peers = [ @@ -119,15 +128,16 @@ in { inherit publicKey; endpoint = "${address}:${toString port}"; allowedIPs = - if cfg.client.enableTrafficRouting - then [ - "0.0.0.0/0" - "::/0" - ] - else [ - cfg.ipv4.subnet - cfg.ipv6.subnet - ]; + if cfg.client.enableTrafficRouting then + [ + "0.0.0.0/0" + "::/0" + ] + else + [ + cfg.ipv4.subnet + cfg.ipv6.subnet + ]; persistentKeepalive = 25; } ]; @@ -141,7 +151,11 @@ in { environment.systemPackages = with pkgs; [ (writeShellApplication { name = "wg-toggle"; - runtimeInputs = [iproute2 jq wireguard-tools]; + runtimeInputs = [ + iproute2 + jq + wireguard-tools + ]; text = '' ip46() { sudo ip -4 "$@" @@ -166,7 +180,10 @@ in { enable = true; interfaces.${cfg.interface} = with cfg.server; { privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; - ips = ["${ipv4.address}/16" "${ipv6.address}/16"]; + ips = [ + "${ipv4.address}/16" + "${ipv6.address}/16" + ]; listenPort = port; inherit peers; allowedIPsAsRoutes = false; @@ -179,12 +196,12 @@ in { externalInterface = mkDefault "eth0"; - internalInterfaces = [cfg.interface]; - internalIPs = [cfg.ipv4.subnet]; - internalIPv6s = [cfg.ipv6.subnet]; + internalInterfaces = [ cfg.interface ]; + internalIPs = [ cfg.ipv4.subnet ]; + internalIPv6s = [ cfg.ipv6.subnet ]; }; - firewall.allowedUDPPorts = [cfg.server.port]; + firewall.allowedUDPPorts = [ cfg.server.port ]; }; services.prometheus.exporters.wireguard = { |