{ config, inputs, lib, pkgs, this, ... }: let cfg = config.nixfiles.modules.wireguard; DNSSetup = lib.optionalString config.services.resolved.enable ( let resolvectl = "${config.systemd.package}/bin/resolvectl"; in '' ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} ${resolvectl} domain ${cfg.interface} local ${lib.my.domain.shire} ${resolvectl} dnssec ${cfg.interface} no ${resolvectl} dnsovertls ${cfg.interface} no '' ); extraOptions = { jc = 23; jmin = 58; jmax = 1021; s1 = 49; s2 = 87; h1 = 1264154357; h2 = 462401493; h3 = 737329836; h4 = 1039929807; }; in { disabledModules = [ "services/networking/wg-quick.nix" "services/networking/wireguard.nix" ]; imports = [ "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wg-quick.nix" "${inputs.nixpkgs-amneziawg}/nixos/modules/services/networking/wireguard.nix" ]; options.nixfiles.modules.wireguard = { client = { enable = lib.mkEnableOption "WireGuard client"; enableTrafficRouting = lib.mkOption { description = "Whether to enable traffic routing through the sever."; type = lib.types.bool; default = !this.isHeadless; }; }; server = { enable = lib.mkEnableOption "WireGuard server"; ipv4.address = lib.mkOption { description = "IPv4 address to bind to."; type = lib.types.str; default = lib.my.configurations.manwe.wireguard.ipv4.address; }; ipv6.address = lib.mkOption { description = "IPv4 address to bind to."; type = lib.types.str; default = lib.my.configurations.manwe.wireguard.ipv6.address; }; address = lib.mkOption { description = "Endpoint address to use"; type = lib.types.str; default = lib.my.configurations.manwe.ipv4.address; }; port = lib.mkOption { description = "Endpoint port to use."; type = lib.types.int; default = 6969; }; publicKey = lib.mkOption { description = "Server's public key."; type = lib.types.str; default = lib.my.configurations.manwe.wireguard.publicKey; }; peers = lib.mkOption { description = "List of peers."; type = with lib.types; listOf attrs; default = lib.my.configurations |> lib.filterAttrs (_: v: v.hostname != this.hostname && lib.hasAttr "wireguard" v) |> lib.mapAttrsToList ( _: v: { inherit (v.wireguard) publicKey; allowedIPs = with v.wireguard; [ "${ipv6.address}/128" "${ipv4.address}/32" ]; } ); }; }; interface = lib.mkOption { description = "Name of the interface to use WireGuard with."; type = lib.types.str; default = "wg69"; }; ipv4.subnet = lib.mkOption { description = "CIDR notation for the IPv4 subnet to use over WireGuard."; type = lib.types.str; default = "10.69.0.0/16"; }; ipv6.subnet = lib.mkOption { description = "CIDR notation for the IPv6 subnet to use over WireGuard."; type = lib.types.str; default = "fd69::/16"; }; }; config = { assertions = [ { assertion = config.security.sudo.enable; message = "Sudo is not enabled."; } { assertion = lib.any (x: x == "wheel") config.my.extraGroups; message = ''User is not in the "wheel" group.''; } ]; } // lib.mkMerge [ (lib.mkIf (cfg.client.enable || cfg.server.enable) { secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; networking.firewall.trustedInterfaces = [ cfg.interface ]; topology = { nodes.${this.hostname}.interfaces.${cfg.interface} = { network = cfg.interface; icon = "interfaces.wireguard"; }; }; }) (lib.mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = lib.mkMerge [ (with this.wireguard; { type = "amneziawg"; privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; address = [ "${ipv4.address}/16" "${ipv6.address}/16" ]; inherit extraOptions; }) (with cfg.server; { peers = [ { inherit publicKey; endpoint = "${address}:${port |> toString}"; allowedIPs = if cfg.client.enableTrafficRouting then [ "::/0" "0.0.0.0/0" ] else [ cfg.ipv6.subnet cfg.ipv4.subnet ]; } ]; dns = [ ipv6.address ipv4.address ]; postUp = DNSSetup; }) ]; environment.systemPackages = with pkgs; [ (writeShellApplication { name = "wg-toggle"; runtimeInputs = [ amneziawg-tools iproute2 jq ]; text = '' ip46() { sudo ip -4 "$@" sudo ip -6 "$@" } fwmark=$(sudo awg show ${cfg.interface} fwmark) || exit if ip -j rule list lookup "$fwmark" | jq -e 'length > 0' >/dev/null; then ip46 rule del lookup main suppress_prefixlength 0 ip46 rule del lookup "$fwmark" else ip46 rule add not fwmark "$fwmark" lookup "$fwmark" ip46 rule add lookup main suppress_prefixlength 0 fi ''; }) ]; }) (lib.mkIf cfg.server.enable { networking = { wireguard = { enable = true; type = "amneziawg"; interfaces.${cfg.interface} = with cfg.server; { privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; ips = [ "${ipv6.address}/16" "${ipv4.address}/16" ]; listenPort = port; inherit peers extraOptions; postSetup = DNSSetup; allowedIPsAsRoutes = false; }; }; nat = { enable = true; enableIPv6 = true; externalInterface = lib.mkDefault "eth0"; internalInterfaces = [ cfg.interface ]; internalIPs = [ cfg.ipv4.subnet ]; internalIPv6s = [ cfg.ipv6.subnet ]; }; firewall.allowedUDPPorts = [ cfg.server.port ]; }; services.prometheus.exporters.wireguard = { enable = false; # TODO Doesn't work with amneziawg-tools. listenAddress = lib.mkDefault this.wireguard.ipv4.address; withRemoteIp = true; port = 9586; }; topology = { networks.${cfg.interface} = { name = cfg.interface; cidrv4 = cfg.ipv4.subnet; cidrv6 = cfg.ipv6.subnet; icon = "interfaces.wireguard"; style.pattern = "dotted"; }; nodes.${this.hostname}.interfaces.${cfg.interface} = { network = cfg.interface; physicalConnections = lib.my.configurations |> lib.filterAttrs (n: v: !v.isOther && n != this.hostname && lib.hasAttr "wireguard" v) |> lib.mapAttrsToList (n: _: config.lib.topology.mkConnection n cfg.interface); }; }; }) ]; }