nixos-config/modules/wireguard/he.nix

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ lib, config, ... }:
let
  serverHostName = "yuzuru";
  serverPort = 51820;
  peers = {
    yuzuru = {
      subnets = [ ];
      publicKey = "mWm92aZybisoLtd11g4XqwUZvQGVxMfPW9/za3/1/0Y=";
    };
    shinobu = {
      subnets = [ "2001:470:73b9::/56" ];
      publicKey = "c8lnzMWFeTzQmXwNV0DlD2ROJqBcDL0F9WN5u4lVeFQ=";
    };
  };

  cfg = config.sbruder.wireguard.he;
  enableServer = config.networking.hostName == serverHostName;
in
{
  options.sbruder.wireguard.he.enable = lib.mkEnableOption "WireGuard tunnel wg-he";

  config = lib.mkIf cfg.enable {
    sops.secrets.wg-he-private-key = {
      owner = config.users.users.systemd-network.name;
      sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
    };

    systemd.network = {
      enable = true;
      netdevs = {
        wg-he = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-he";
          };
          wireguardConfig = {
            PrivateKeyFile = config.sops.secrets.wg-he-private-key.path;
          } // (lib.optionalAttrs enableServer {
            ListenPort = serverPort;
          });
          wireguardPeers =
            if enableServer
            then
              map
                ({ publicKey, subnets }: {
                  wireguardPeerConfig = {
                    PublicKey = publicKey;
                    AllowedIPs = subnets;
                  };
                })
                (lib.attrValues
                  (lib.filterAttrs
                    (n: v: n != config.networking.hostName)
                    peers))
            else
              lib.singleton {
                wireguardPeerConfig = {
                  PublicKey = peers."${serverHostName}".publicKey;
                  AllowedIPs = "::/0";
                  Endpoint = "85.215.73.203:${toString serverPort}";
                  PersistentKeepalive = 25;
                };
              };
        };
      } // (lib.optionalAttrs enableServer {
        he = {
          netdevConfig = {
            Name = "he";
            Kind = "sit";
            MTUBytes = "1480";
          };
          tunnelConfig = {
            Remote = "216.66.80.30"; # tserv1.fra1.he.net
            Local = "85.215.73.203";
            TTL = 255;
          };
        };
      });
      networks = {
        wg-he = {
          name = "wg-he";
          networkConfig = lib.optionalAttrs enableServer {
            IPForward = "ipv6";
          };
          routes = lib.singleton {
            routeConfig.Destination = "2001:470:73b9::/48";
          };
        };
      } // (lib.optionalAttrs enableServer {
        he = {
          name = "he";
          address = lib.singleton "2001:470:1f0a:5db::2/64";
          gateway = lib.singleton "2001:470:1f0a:5db::1";
          routingPolicyRules = lib.singleton {
            routingPolicyRuleConfig = {
              From = "2001:470:73b9::/48";
              Table = "0x73b9";
            };
          };
          routes = lib.singleton {
            routeConfig = {
              Gateway = "2001:470:1f0a:5db::1";
              Table = "0x73b9";
            };
          };
        };
        # FIXME interface name is hardcoded
        eth0 = {
          networkConfig.Tunnel = "he";
        };
      });
    };

    networking.firewall.allowedUDPPorts = lib.optional enableServer serverPort;
  };
}
Connect home network with IPv6 addresses It adds a bit of latency (and is definitely not the best solution in theory), but finally allows dropping IPv6 NAT and it works within the constraits my home network has to live in. 2024-08-27 00:13:25 +02:00			`# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`

			`{ lib, config, ... }:`
			`let`
			`serverHostName = "yuzuru";`
			`serverPort = 51820;`
			`peers = {`
			`yuzuru = {`
			`subnets = [ ];`
			`publicKey = "mWm92aZybisoLtd11g4XqwUZvQGVxMfPW9/za3/1/0Y=";`
			`};`
			`shinobu = {`
			`subnets = [ "2001:470:73b9::/56" ];`
			`publicKey = "c8lnzMWFeTzQmXwNV0DlD2ROJqBcDL0F9WN5u4lVeFQ=";`
			`};`
			`};`

			`cfg = config.sbruder.wireguard.he;`
			`enableServer = config.networking.hostName == serverHostName;`
			`in`
			`{`
			`options.sbruder.wireguard.he.enable = lib.mkEnableOption "WireGuard tunnel wg-he";`

			`config = lib.mkIf cfg.enable {`
			`sops.secrets.wg-he-private-key = {`
			`owner = config.users.users.systemd-network.name;`
			`sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";`
			`};`

			`systemd.network = {`
			`enable = true;`
			`netdevs = {`
			`wg-he = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
			`Name = "wg-he";`
			`};`
			`wireguardConfig = {`
			`PrivateKeyFile = config.sops.secrets.wg-he-private-key.path;`
			`} // (lib.optionalAttrs enableServer {`
			`ListenPort = serverPort;`
			`});`
			`wireguardPeers =`
			`if enableServer`
			`then`
			`map`
			`({ publicKey, subnets }: {`
			`wireguardPeerConfig = {`
			`PublicKey = publicKey;`
			`AllowedIPs = subnets;`
			`};`
			`})`
			`(lib.attrValues`
			`(lib.filterAttrs`
			`(n: v: n != config.networking.hostName)`
			`peers))`
			`else`
			`lib.singleton {`
			`wireguardPeerConfig = {`
			`PublicKey = peers."${serverHostName}".publicKey;`
			`AllowedIPs = "::/0";`
			`Endpoint = "85.215.73.203:${toString serverPort}";`
			`PersistentKeepalive = 25;`
			`};`
			`};`
			`};`
			`} // (lib.optionalAttrs enableServer {`
			`he = {`
			`netdevConfig = {`
			`Name = "he";`
			`Kind = "sit";`
			`MTUBytes = "1480";`
			`};`
			`tunnelConfig = {`
			`Remote = "216.66.80.30"; # tserv1.fra1.he.net`
			`Local = "85.215.73.203";`
			`TTL = 255;`
			`};`
			`};`
			`});`
			`networks = {`
			`wg-he = {`
			`name = "wg-he";`
			`networkConfig = lib.optionalAttrs enableServer {`
			`IPForward = "ipv6";`
			`};`
			`routes = lib.singleton {`
			`routeConfig.Destination = "2001:470:73b9::/48";`
			`};`
			`};`
			`} // (lib.optionalAttrs enableServer {`
			`he = {`
			`name = "he";`
			`address = lib.singleton "2001:470:1f0a:5db::2/64";`
			`gateway = lib.singleton "2001:470:1f0a:5db::1";`
			`routingPolicyRules = lib.singleton {`
			`routingPolicyRuleConfig = {`
			`From = "2001:470:73b9::/48";`
			`Table = "0x73b9";`
			`};`
			`};`
			`routes = lib.singleton {`
			`routeConfig = {`
			`Gateway = "2001:470:1f0a:5db::1";`
			`Table = "0x73b9";`
			`};`
			`};`
			`};`
			`# FIXME interface name is hardcoded`
			`eth0 = {`
			`networkConfig.Tunnel = "he";`
			`};`
			`});`
			`};`

			`networking.firewall.allowedUDPPorts = lib.optional enableServer serverPort;`
			`};`
			`}`