nixos-config/modules/wireguard/home.nix

156 lines
4.5 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, config, pkgs, ... }:
2020-12-05 14:39:36 +01:00
let
serverHostName = "vueko";
serverPort = 51820;
2023-05-06 10:55:04 +02:00
subnet = "10.80.0.0/24";
peers = {
2022-12-30 19:52:58 +01:00
hitagi = {
address = "10.80.0.5";
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
};
vueko = {
address = "10.80.0.6";
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
};
fuuko = {
address = "10.80.0.7";
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
};
2021-09-30 07:32:03 +02:00
mayushii = {
address = "10.80.0.9";
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
};
2022-03-23 15:03:08 +01:00
renge = {
2023-12-31 12:54:51 +01:00
address = "10.80.0.15";
publicKey = "/kdCL7MZxuXaEjnN5s5j5GaVlufIeJ890r9xPZbsElQ=";
2022-03-23 15:03:08 +01:00
};
2022-06-09 17:38:24 +02:00
nunotaba = {
address = "10.80.0.4";
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
};
2023-05-06 10:54:03 +02:00
okarin = {
address = "10.80.0.14";
publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
2023-05-06 10:54:03 +02:00
};
2023-07-01 12:37:12 +02:00
shinobu = {
address = "10.80.0.12";
publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
};
2023-10-04 15:15:54 +02:00
nazuna = {
address = "10.80.0.13";
publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
};
2024-01-02 23:26:46 +01:00
yuzuru = {
address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
};
2024-05-11 21:14:17 +02:00
koyomi = {
address = "10.80.0.17";
publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
};
2024-05-18 15:48:01 +02:00
hiroshi = {
address = "10.80.0.18";
publicKey = "eXbRmOcRRJpcgGb0Ztuw6t83K6QKtd+exWTbKCjmXQw=";
};
};
2020-12-05 14:39:36 +01:00
cfg = config.sbruder.wireguard.home;
enableServer = config.networking.hostName == serverHostName;
2020-12-05 14:39:36 +01:00
in
2020-08-22 17:44:39 +02:00
{
2020-12-05 14:39:36 +01:00
options = {
sbruder.wireguard.home = {
enable = lib.mkEnableOption "WireGuard tunnel wg-home";
address = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
2020-12-05 14:39:36 +01:00
};
2023-05-06 10:55:04 +02:00
subnet = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
};
2020-08-22 17:44:39 +02:00
};
};
2020-12-05 14:39:36 +01:00
2021-01-06 13:09:29 +01:00
config = lib.mkIf cfg.enable {
sops.secrets.wg-home-private-key = {
owner = config.users.users.systemd-network.name;
2021-05-01 13:16:14 +02:00
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
};
2021-01-06 13:09:29 +01:00
2023-05-06 10:55:04 +02:00
sbruder.wireguard.home = {
address = peers."${config.networking.hostName}".address;
inherit subnet;
};
systemd.network = {
enable = true;
netdevs = {
wg-home = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-home";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
} // (lib.optionalAttrs enableServer {
ListenPort = serverPort;
});
wireguardPeers =
if enableServer
then
map
(peerConfig: with peerConfig; {
PublicKey = publicKey;
AllowedIPs = [ "${address}/32" ];
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{
PublicKey = peers."${serverHostName}".publicKey;
AllowedIPs = [ subnet ];
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
Endpoint = "168.119.176.53:${toString serverPort}";
PersistentKeepalive = 25;
}
];
};
};
networks = {
wg-home = {
name = "wg-home";
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
networkConfig = lib.optionalAttrs enableServer {
IPv4Forwarding = true;
};
};
};
2021-01-06 13:09:29 +01:00
};
networking.firewall = {
trustedInterfaces = [ "wg-home" ];
2023-10-23 23:23:37 +02:00
allowedUDPPorts = lib.optional enableServer serverPort;
};
2023-10-23 23:23:37 +02:00
sbruder.knot.generated-zones."vpn.sbruder.de" = pkgs.writeText "vpn.sbruder.de.zone" (''
; having $ORIGIN set here fails
@ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. 1 86400 10800 3600000 3600
@ IN NS ${serverHostName}.sbruder.de.
'' + lib.concatStrings
(lib.mapAttrsToList
(peer: peerConfig: ''
${peer} IN A ${peerConfig.address}
'')
peers));
2020-12-05 14:39:36 +01:00
};
2020-08-22 17:44:39 +02:00
}