about summary refs log tree commit diff
path: root/modules/wireguard.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/wireguard.nix')
-rw-r--r--modules/wireguard.nix49
1 files changed, 36 insertions, 13 deletions
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index f408731..8547f70 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -11,6 +11,15 @@ let
   cfg = config.nixfiles.modules.wireguard;
 in
 {
+  disabledModules = [
+    "services/networking/wireguard.nix"
+    "services/networking/wg-quick.nix"
+  ];
+  imports = [
+    "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wireguard.nix"
+    "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wg-quick.nix"
+  ];
+
   options.nixfiles.modules.wireguard = {
     client = {
       enable = mkEnableOption "WireGuard client";
@@ -64,8 +73,8 @@ in
               _: attr: with attr; {
                 inherit (wireguard) publicKey;
                 allowedIPs = with wireguard; [
-                  "${ipv4.address}/32"
                   "${ipv6.address}/128"
+                  "${ipv4.address}/32"
                 ];
               }
             )
@@ -123,11 +132,17 @@ in
       (mkIf cfg.client.enable {
         networking.wg-quick.interfaces.${cfg.interface} = mkMerge [
           (with this.wireguard; {
+            type = "amneziawg";
             privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
             address = [
               "${ipv4.address}/16"
               "${ipv6.address}/16"
             ];
+            extraInterfaceConfig = mkIf this.isHeadful ''
+              Jc = 4
+              Jmin = 40
+              Jmax = 70
+            '';
           })
           (with cfg.server; {
             peers = [
@@ -137,21 +152,28 @@ in
                 allowedIPs =
                   if cfg.client.enableTrafficRouting then
                     [
-                      "0.0.0.0/0"
                       "::/0"
+                      "0.0.0.0/0"
                     ]
                   else
                     [
-                      cfg.ipv4.subnet
                       cfg.ipv6.subnet
+                      cfg.ipv4.subnet
                     ];
-                persistentKeepalive = 25;
               }
             ];
             dns = [
-              ipv4.address
               ipv6.address
-            ]; # This assumes that the host has Unbound running.
+              ipv4.address
+            ];
+            postUp =
+              let
+                resolvectl = "${config.systemd.package}/bin/resolvectl";
+              in
+              ''
+                ${resolvectl} dns ${cfg.interface} ${ipv6.address} ${ipv4.address}
+                ${resolvectl} domain ${cfg.interface} ${concatStringsSep " " (mapAttrsToList (_: v: v) my.domain)}
+              '';
           })
         ];
 
@@ -159,9 +181,9 @@ in
           (writeShellApplication {
             name = "wg-toggle";
             runtimeInputs = [
+              amneziawg-tools
               iproute2
               jq
-              wireguard-tools
             ];
             text = ''
               ip46() {
@@ -169,13 +191,13 @@ in
                 sudo ip -6 "$@"
               }
 
-              fwmark=$(sudo wg show ${cfg.interface} fwmark) || exit
+              fwmark=$(sudo awg show ${cfg.interface} fwmark) || exit
               if ip -j rule list lookup "$fwmark" | jq -e 'length > 0' >/dev/null; then
-                  ip46 rule del lookup main suppress_prefixlength 0
-                  ip46 rule del lookup "$fwmark"
+                ip46 rule del lookup main suppress_prefixlength 0
+                ip46 rule del lookup "$fwmark"
               else
-                  ip46 rule add not fwmark "$fwmark" lookup "$fwmark"
-                  ip46 rule add lookup main suppress_prefixlength 0
+                ip46 rule add not fwmark "$fwmark" lookup "$fwmark"
+                ip46 rule add lookup main suppress_prefixlength 0
               fi
             '';
           })
@@ -185,11 +207,12 @@ in
         networking = {
           wireguard = {
             enable = true;
+            type = "amneziawg";
             interfaces.${cfg.interface} = with cfg.server; {
               privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
               ips = [
-                "${ipv4.address}/16"
                 "${ipv6.address}/16"
+                "${ipv4.address}/16"
               ];
               listenPort = port;
               inherit peers;

Consider giving Nix/NixOS a try! <3