nixos-config/modules/wireguard/home.nix

{ lib, config, ... }:
let
  serverHostName = "vueko";
  peers = {
    issei = {
      address = "10.80.0.1";
      publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
    };
    nunotaba = {
      address = "10.80.0.4";
      publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
    };
    sayuri = {
      address = "10.80.0.5";
      publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
    };
    vueko = {
      address = "10.80.0.6";
      publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
    };
    fuuko = {
      address = "10.80.0.7";
      publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
    };
  };

  cfg = config.sbruder.wireguard.home;
  enableServer = config.networking.hostName == serverHostName;
in
{
  options = {
    sbruder.wireguard.home = {
      enable = lib.mkEnableOption "WireGuard tunnel wg-home";
      address = lib.mkOption {
        type = lib.types.str;
        visible = false;
        readOnly = true;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    krops.secrets.wg-home-private-key = { };

    sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;

    networking.wireguard.interfaces.wg-home = {
      privateKeyFile = config.krops.secrets.wg-home-private-key.path;
      ips = [ "${cfg.address}/24" ];
      listenPort = if enableServer then 51820 else null;
      peers =
        if enableServer
        then
          map
            (peerConfig: with peerConfig; {
              allowedIPs = [ "${address}/32" ];
              inherit publicKey;
            })
            (lib.attrValues
              (lib.filterAttrs
                (n: v: n != config.networking.hostName)
                peers))
        else [
          {
            allowedIPs = [ "10.80.0.0/24" ];
            publicKey = peers."${serverHostName}".publicKey;
            endpoint = "${serverHostName}.sbruder.de:51820";
            persistentKeepalive = 25;
          }
        ];
    };

    networking.firewall = {
      trustedInterfaces = [ "wg-home" ];
      allowedUDPPorts = lib.optional enableServer 51820;
    };

    boot.kernel.sysctl = lib.optionalAttrs enableServer {
      "net.ipv4.ip_forward" = 1;
    };
  };
}
Parameterise wireguard 2020-12-05 14:39:36 +01:00			`{ lib, config, ... }:`
			`let`
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`serverHostName = "vueko";`
			`peers = {`
			`issei = {`
			`address = "10.80.0.1";`
			`publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";`
			`};`
			`nunotaba = {`
			`address = "10.80.0.4";`
			`publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";`
			`};`
			`sayuri = {`
			`address = "10.80.0.5";`
			`publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";`
			`};`
			`vueko = {`
			`address = "10.80.0.6";`
			`publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";`
			`};`
			`fuuko = {`
			`address = "10.80.0.7";`
			`publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";`
			`};`
			`};`

Parameterise wireguard 2020-12-05 14:39:36 +01:00			`cfg = config.sbruder.wireguard.home;`
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`enableServer = config.networking.hostName == serverHostName;`
Parameterise wireguard 2020-12-05 14:39:36 +01:00			`in`
Initial commit 2020-08-22 17:44:39 +02:00			`{`
Parameterise wireguard 2020-12-05 14:39:36 +01:00			`options = {`
			`sbruder.wireguard.home = {`
			`enable = lib.mkEnableOption "WireGuard tunnel wg-home";`
			`address = lib.mkOption {`
			`type = lib.types.str;`
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`visible = false;`
			`readOnly = true;`
Parameterise wireguard 2020-12-05 14:39:36 +01:00			`};`
Initial commit 2020-08-22 17:44:39 +02:00			`};`
			`};`
Parameterise wireguard 2020-12-05 14:39:36 +01:00
Overhaul secrets management 2021-01-06 13:09:29 +01:00			`config = lib.mkIf cfg.enable {`
			`krops.secrets.wg-home-private-key = { };`

wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;`

Overhaul secrets management 2021-01-06 13:09:29 +01:00			`networking.wireguard.interfaces.wg-home = {`
			`privateKeyFile = config.krops.secrets.wg-home-private-key.path;`
			`ips = [ "${cfg.address}/24" ];`
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`listenPort = if enableServer then 51820 else null;`
			`peers =`
			`if enableServer`
			`then`
			`map`
			`(peerConfig: with peerConfig; {`
			`allowedIPs = [ "${address}/32" ];`
			`inherit publicKey;`
			`})`
			`(lib.attrValues`
			`(lib.filterAttrs`
			`(n: v: n != config.networking.hostName)`
			`peers))`
			`else [`
			`{`
			`allowedIPs = [ "10.80.0.0/24" ];`
			`publicKey = peers."${serverHostName}".publicKey;`
			`endpoint = "${serverHostName}.sbruder.de:51820";`
			`persistentKeepalive = 25;`
			`}`
			`];`
Overhaul secrets management 2021-01-06 13:09:29 +01:00			`};`
firewall: Trust wg-home Fixes regression introduced in 126a0dad4b81f1204de31411d70e50b0b6190614. 2021-01-18 00:05:18 +01:00
wireguard/home: Make vueko central server This also restructures the wireguard/home configuration, since now better peer management is possible. 2021-02-20 19:03:40 +01:00			`networking.firewall = {`
			`trustedInterfaces = [ "wg-home" ];`
			`allowedUDPPorts = lib.optional enableServer 51820;`
			`};`

			`boot.kernel.sysctl = lib.optionalAttrs enableServer {`
			`"net.ipv4.ip_forward" = 1;`
			`};`
Parameterise wireguard 2020-12-05 14:39:36 +01:00			`};`
Initial commit 2020-08-22 17:44:39 +02:00			`}`