nixos-config/modules/wireguard/support.nix

# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ lib, config, pkgs, ... }:
let
  serverHostName = "vueko";
  port = 51821;
  peers = {
    # Key of the server.
    vueko = {
      address = "10.80.16.1";
      publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
    };
    # Key for all of my hosts. One is enough, because it is only activated on demand.
    simon = {
      address = "10.80.16.2";
      publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
    };
    # Keys for all hosts that are supported.
    jane = {
      address = "10.80.16.3";
      publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
    };
  };
in
{
  config = lib.mkIf (config.networking.hostName == serverHostName) {
    sops.secrets.wg-support-private-key = {
      sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
    };

    networking.wireguard.interfaces.wg-support = {
      privateKeyFile = config.sops.secrets.wg-support-private-key.path;
      ips = [ "${peers.${serverHostName}.address}/24" ];
      listenPort = port;
      peers = map
        (peerConfig: with peerConfig; {
          allowedIPs = [ "${address}/32" ];
          inherit publicKey;
        })
        (lib.attrValues
          (lib.filterAttrs
            (n: v: n != serverHostName)
            peers));
    };

    networking.firewall.allowedUDPPorts = [
      port
      53
    ];

    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = lib.mkOverride 998 1;
    };
  };
}
Relicense This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually. 2024-01-06 01:19:35 +01:00			`# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`

wireguard/support: Init 2023-02-24 22:41:15 +01:00			`{ lib, config, pkgs, ... }:`
			`let`
			`serverHostName = "vueko";`
			`port = 51821;`
			`peers = {`
			`# Key of the server.`
			`vueko = {`
			`address = "10.80.16.1";`
			`publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";`
			`};`
			`# Key for all of my hosts. One is enough, because it is only activated on demand.`
			`simon = {`
			`address = "10.80.16.2";`
			`publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";`
			`};`
			`# Keys for all hosts that are supported.`
			`jane = {`
			`address = "10.80.16.3";`
			`publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";`
			`};`
			`};`
			`in`
			`{`
			`config = lib.mkIf (config.networking.hostName == serverHostName) {`
			`sops.secrets.wg-support-private-key = {`
			`sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";`
			`};`

			`networking.wireguard.interfaces.wg-support = {`
			`privateKeyFile = config.sops.secrets.wg-support-private-key.path;`
			`ips = [ "${peers.${serverHostName}.address}/24" ];`
			`listenPort = port;`
			`peers = map`
			`(peerConfig: with peerConfig; {`
			`allowedIPs = [ "${address}/32" ];`
			`inherit publicKey;`
			`})`
			`(lib.attrValues`
			`(lib.filterAttrs`
			`(n: v: n != serverHostName)`
			`peers));`
			`};`

			`networking.firewall.allowedUDPPorts = [`
			`port`
			`53`
			`];`

			`boot.kernel.sysctl = {`
			`"net.ipv4.ip_forward" = lib.mkOverride 998 1;`
			`};`
			`};`
			`}`