about summary refs log tree commit diff
path: root/modules/wireguard.nix
diff options
context:
space:
mode:
authorazahi <azat@bahawi.net>2025-01-14 13:27:50 +0300
committerazahi <azat@bahawi.net>2025-01-14 13:27:50 +0300
commitb8ea365ca8eb801f8c8442f2f9ab439343ed8b8f (patch)
treefe46f6e8f0da8d8525e486290cca3079679b363d /modules/wireguard.nix
parent2025-01-06 (diff)
2025-01-14
Diffstat (limited to '')
-rw-r--r--modules/wireguard.nix130
1 files changed, 65 insertions, 65 deletions
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 633ec5b..92497e1 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -6,17 +6,16 @@
   this,
   ...
 }:
-with lib;
 let
   cfg = config.nixfiles.modules.wireguard;
 
-  DNSSetup = optionalString config.services.resolved.enable (
+  DNSSetup = lib.optionalString config.services.resolved.enable (
     let
       resolvectl = "${config.systemd.package}/bin/resolvectl";
     in
     ''
       ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address}
-      ${resolvectl} domain ${cfg.interface} local ${my.domain.shire}
+      ${resolvectl} domain ${cfg.interface} local ${lib.my.domain.shire}
       ${resolvectl} dnssec ${cfg.interface} no
       ${resolvectl} dnsovertls ${cfg.interface} no
     ''
@@ -46,83 +45,81 @@ in
 
   options.nixfiles.modules.wireguard = {
     client = {
-      enable = mkEnableOption "WireGuard client";
+      enable = lib.mkEnableOption "WireGuard client";
 
-      enableTrafficRouting = mkOption {
+      enableTrafficRouting = lib.mkOption {
         description = "Whether to enable traffic routing through the sever.";
-        type = with types; bool;
+        type = lib.types.bool;
         default = !this.isHeadless;
       };
     };
 
     server = {
-      enable = mkEnableOption "WireGuard server";
+      enable = lib.mkEnableOption "WireGuard server";
 
-      ipv4.address = mkOption {
+      ipv4.address = lib.mkOption {
         description = "IPv4 address to bind to.";
-        type = with types; str;
-        default = my.configurations.manwe.wireguard.ipv4.address;
+        type = lib.types.str;
+        default = lib.my.configurations.manwe.wireguard.ipv4.address;
       };
 
-      ipv6.address = mkOption {
+      ipv6.address = lib.mkOption {
         description = "IPv4 address to bind to.";
-        type = with types; str;
-        default = my.configurations.manwe.wireguard.ipv6.address;
+        type = lib.types.str;
+        default = lib.my.configurations.manwe.wireguard.ipv6.address;
       };
 
-      address = mkOption {
+      address = lib.mkOption {
         description = "Endpoint address to use";
-        type = with types; str;
-        default = my.configurations.manwe.ipv4.address;
+        type = lib.types.str;
+        default = lib.my.configurations.manwe.ipv4.address;
       };
 
-      port = mkOption {
+      port = lib.mkOption {
         description = "Endpoint port to use.";
-        type = with types; int;
+        type = lib.types.int;
         default = 6969;
       };
 
-      publicKey = mkOption {
+      publicKey = lib.mkOption {
         description = "Server's public key.";
-        type = with types; str;
-        default = my.configurations.manwe.wireguard.publicKey;
+        type = lib.types.str;
+        default = lib.my.configurations.manwe.wireguard.publicKey;
       };
 
-      peers = mkOption {
+      peers = lib.mkOption {
         description = "List of peers.";
-        type = with types; listOf attrs;
+        type = with lib.types; listOf attrs;
         default =
-          mapAttrsToList
-            (
-              _: attr: with attr; {
-                inherit (wireguard) publicKey;
-                allowedIPs = with wireguard; [
-                  "${ipv6.address}/128"
-                  "${ipv4.address}/32"
-                ];
-              }
-            )
-            (
-              filterAttrs (_: attr: attr.hostname != this.hostname && hasAttr "wireguard" attr) my.configurations
-            );
+          lib.my.configurations
+          |> lib.filterAttrs (_: v: v.hostname != this.hostname && lib.hasAttr "wireguard" v)
+          |> lib.mapAttrsToList (
+            _: v: {
+              inherit (v.wireguard) publicKey;
+              allowedIPs = with v.wireguard; [
+                "${ipv6.address}/128"
+                "${ipv4.address}/32"
+              ];
+            }
+          );
       };
     };
 
-    interface = mkOption {
+    interface = lib.mkOption {
       description = "Name of the interface to use WireGuard with.";
-      type = with types; str;
+      type = lib.types.str;
       default = "wg69";
     };
 
-    ipv4.subnet = mkOption {
+    ipv4.subnet = lib.mkOption {
       description = "CIDR notation for the IPv4 subnet to use over WireGuard.";
-      type = with types; str;
+      type = lib.types.str;
       default = "10.69.0.0/16";
     };
 
-    ipv6.subnet = mkOption {
+    ipv6.subnet = lib.mkOption {
       description = "CIDR notation for the IPv6 subnet to use over WireGuard.";
-      type = with types; str;
+      type = lib.types.str;
       default = "fd69::/16";
     };
   };
@@ -135,27 +132,27 @@ in
           message = "Sudo is not enabled.";
         }
         {
-          assertion = any (x: x == "wheel") config.my.extraGroups;
+          assertion = lib.any (x: x == "wheel") config.my.extraGroups;
           message = ''User is not in the "wheel" group.'';
         }
       ];
     }
-    // mkMerge [
-      (mkIf (cfg.client.enable || cfg.server.enable) {
+    // lib.mkMerge [
+      (lib.mkIf (cfg.client.enable || cfg.server.enable) {
         secrets."wireguard-private-key-${this.hostname}".file =
           "${inputs.self}/secrets/wireguard-private-key-${this.hostname}";
 
         networking.firewall.trustedInterfaces = [ cfg.interface ];
 
-        topology = with cfg; {
-          nodes.${this.hostname}.interfaces.${interface} = {
-            network = interface;
+        topology = {
+          nodes.${this.hostname}.interfaces.${cfg.interface} = {
+            network = cfg.interface;
             icon = "interfaces.wireguard";
           };
         };
       })
-      (mkIf cfg.client.enable {
-        networking.wg-quick.interfaces.${cfg.interface} = mkMerge [
+      (lib.mkIf cfg.client.enable {
+        networking.wg-quick.interfaces.${cfg.interface} = lib.mkMerge [
           (with this.wireguard; {
             type = "amneziawg";
             privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
@@ -169,7 +166,7 @@ in
             peers = [
               {
                 inherit publicKey;
-                endpoint = "${address}:${toString port}";
+                endpoint = "${address}:${port |> toString}";
                 allowedIPs =
                   if cfg.client.enableTrafficRouting then
                     [
@@ -217,7 +214,7 @@ in
           })
         ];
       })
-      (mkIf cfg.server.enable {
+      (lib.mkIf cfg.server.enable {
         networking = {
           wireguard = {
             enable = true;
@@ -239,7 +236,7 @@ in
             enable = true;
             enableIPv6 = true;
 
-            externalInterface = mkDefault "eth0";
+            externalInterface = lib.mkDefault "eth0";
 
             internalInterfaces = [ cfg.interface ];
             internalIPs = [ cfg.ipv4.subnet ];
@@ -251,24 +248,27 @@ in
 
         services.prometheus.exporters.wireguard = {
           enable = false; # TODO Doesn't work with amneziawg-tools.
-          listenAddress = mkDefault this.wireguard.ipv4.address;
+          listenAddress = lib.mkDefault this.wireguard.ipv4.address;
           withRemoteIp = true;
           port = 9586;
         };
 
-        topology = with cfg; {
-          networks = {
-            ${interface} = {
-              name = interface;
-              cidrv4 = ipv4.subnet;
-              cidrv6 = ipv6.subnet;
-              icon = "interfaces.wireguard";
-            };
+        topology = {
+          networks.${cfg.interface} = {
+            name = cfg.interface;
+            cidrv4 = cfg.ipv4.subnet;
+            cidrv6 = cfg.ipv6.subnet;
+            icon = "interfaces.wireguard";
+            style.pattern = "dotted";
           };
 
-          nodes.${this.hostname}.interfaces.${interface}.physicalConnections = mapAttrsToList (
-            name: _: config.lib.topology.mkConnection name interface
-          ) (filterAttrs (n: v: !v.isOther && n != this.hostname && hasAttr "wireguard" v) my.configurations);
+          nodes.${this.hostname}.interfaces.${cfg.interface} = {
+            network = cfg.interface;
+            physicalConnections =
+              lib.my.configurations
+              |> lib.filterAttrs (n: v: !v.isOther && n != this.hostname && lib.hasAttr "wireguard" v)
+              |> lib.mapAttrsToList (n: _: config.lib.topology.mkConnection n cfg.interface);
+          };
         };
       })
     ];

Consider giving Nix/NixOS a try! <3