From c6c9929a090aa8022045514e09ecafd57a954c27 Mon Sep 17 00:00:00 2001 From: azahi Date: Thu, 10 Oct 2024 03:33:47 +0300 Subject: 2024-10-10 --- modules/wireguard.nix | 49 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 13 deletions(-) (limited to 'modules/wireguard.nix') diff --git a/modules/wireguard.nix b/modules/wireguard.nix index f408731..8547f70 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -11,6 +11,15 @@ let cfg = config.nixfiles.modules.wireguard; in { + disabledModules = [ + "services/networking/wireguard.nix" + "services/networking/wg-quick.nix" + ]; + imports = [ + "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wireguard.nix" + "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wg-quick.nix" + ]; + options.nixfiles.modules.wireguard = { client = { enable = mkEnableOption "WireGuard client"; @@ -64,8 +73,8 @@ in _: attr: with attr; { inherit (wireguard) publicKey; allowedIPs = with wireguard; [ - "${ipv4.address}/32" "${ipv6.address}/128" + "${ipv4.address}/32" ]; } ) @@ -123,11 +132,17 @@ in (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ (with this.wireguard; { + type = "amneziawg"; privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; address = [ "${ipv4.address}/16" "${ipv6.address}/16" ]; + extraInterfaceConfig = mkIf this.isHeadful '' + Jc = 4 + Jmin = 40 + Jmax = 70 + ''; }) (with cfg.server; { peers = [ @@ -137,21 +152,28 @@ in allowedIPs = if cfg.client.enableTrafficRouting then [ - "0.0.0.0/0" "::/0" + "0.0.0.0/0" ] else [ - cfg.ipv4.subnet cfg.ipv6.subnet + cfg.ipv4.subnet ]; - persistentKeepalive = 25; } ]; dns = [ - ipv4.address ipv6.address - ]; # This assumes that the host has Unbound running. + ipv4.address + ]; + postUp = + let + resolvectl = "${config.systemd.package}/bin/resolvectl"; + in + '' + ${resolvectl} dns ${cfg.interface} ${ipv6.address} ${ipv4.address} + ${resolvectl} domain ${cfg.interface} ${concatStringsSep " " (mapAttrsToList (_: v: v) my.domain)} + ''; }) ]; @@ -159,9 +181,9 @@ in (writeShellApplication { name = "wg-toggle"; runtimeInputs = [ + amneziawg-tools iproute2 jq - wireguard-tools ]; text = '' ip46() { @@ -169,13 +191,13 @@ in sudo ip -6 "$@" } - fwmark=$(sudo wg show ${cfg.interface} fwmark) || exit + fwmark=$(sudo awg show ${cfg.interface} fwmark) || exit if ip -j rule list lookup "$fwmark" | jq -e 'length > 0' >/dev/null; then - ip46 rule del lookup main suppress_prefixlength 0 - ip46 rule del lookup "$fwmark" + ip46 rule del lookup main suppress_prefixlength 0 + ip46 rule del lookup "$fwmark" else - ip46 rule add not fwmark "$fwmark" lookup "$fwmark" - ip46 rule add lookup main suppress_prefixlength 0 + ip46 rule add not fwmark "$fwmark" lookup "$fwmark" + ip46 rule add lookup main suppress_prefixlength 0 fi ''; }) @@ -185,11 +207,12 @@ in networking = { wireguard = { enable = true; + type = "amneziawg"; interfaces.${cfg.interface} = with cfg.server; { privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; ips = [ - "${ipv4.address}/16" "${ipv6.address}/16" + "${ipv4.address}/16" ]; listenPort = port; inherit peers; -- cgit 1.4.1