diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index f3920cf..dd37c36 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -1,6 +1,7 @@ { lib, config, machines, pkgs, ... }: let serverHostName = "vueko"; + serverPort = 51820; peers = { hitagi = { address = "10.80.0.5"; @@ -45,50 +46,71 @@ in config = lib.mkIf cfg.enable { sops.secrets.wg-home-private-key = { + owner = config.users.users.systemd-network.name; sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; }; sbruder.wireguard.home.address = peers."${config.networking.hostName}".address; - networking.wireguard.interfaces.wg-home = { - privateKeyFile = config.sops.secrets.wg-home-private-key.path; - ips = [ "${cfg.address}/24" ]; - listenPort = if enableServer then 51820 else null; - peers = - if enableServer - then - map - (peerConfig: with peerConfig; { - allowedIPs = [ "${address}/32" ]; - inherit publicKey; - }) - (lib.attrValues - (lib.filterAttrs - (n: v: n != config.networking.hostName) - peers)) - else [ - { - allowedIPs = [ "10.80.0.0/24" ]; - publicKey = peers."${serverHostName}".publicKey; - #endpoint = "${serverHostName}.sbruder.de:51820"; # not possible because sadly not all devices have IPv6 connectivity - endpoint = "195.201.139.15:51820"; - persistentKeepalive = 25; - } - ]; + systemd.network = { + enable = true; + netdevs = { + wg-home = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-home"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wg-home-private-key.path; + } // (lib.optionalAttrs enableServer { + ListenPort = serverPort; + }); + wireguardPeers = + if enableServer + then + map + (peerConfig: with peerConfig; { + wireguardPeerConfig = { + PublicKey = publicKey; + AllowedIPs = [ "${address}/32" ]; + }; + }) + (lib.attrValues + (lib.filterAttrs + (n: v: n != config.networking.hostName) + peers)) + else [ + { + wireguardPeerConfig = { + PublicKey = peers."${serverHostName}".publicKey; + AllowedIPs = [ "10.80.0.0/24" ]; + #Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity + Endpoint = "195.201.139.15:${toString serverPort}"; + PersistentKeepalive = 25; + }; + } + ]; + }; + }; + networks = { + wg-home = { + name = "wg-home"; + address = lib.singleton "${config.sbruder.wireguard.home.address}/24"; + networkConfig = lib.optionalAttrs enableServer { + IPForward = "ipv4"; + }; + }; + }; }; networking.firewall = { trustedInterfaces = [ "wg-home" ]; allowedUDPPorts = lib.optionals enableServer [ - 51820 + serverPort 53 ]; }; - boot.kernel.sysctl = lib.optionalAttrs enableServer { - "net.ipv4.ip_forward" = lib.mkOverride 999 1; - }; - services.bind = lib.mkIf enableServer { enable = true; zones = lib.singleton {