simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

wireguard/home: Switch to systemd-networkd

Browse source
This commit is contained in:
Simon Bruder 2023-04-07 14:14:31 +02:00
parent 642d97cb52
commit 4d93272cb0
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
1 changed files with 52 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
modules/wireguard/home.nix
View file

@ -1,6 +1,7 @@
{ lib, config, machines, pkgs, ... }: { lib, config, machines, pkgs, ... }:
let let
serverHostName = "vueko"; serverHostName = "vueko";
serverPort = 51820;
peers = { peers = {
hitagi = { hitagi = {
address = "10.80.0.5"; address = "10.80.0.5";
@ -45,22 +46,34 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets.wg-home-private-key = { sops.secrets.wg-home-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
}; };
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address; sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
networking.wireguard.interfaces.wg-home = { systemd.network = {
privateKeyFile = config.sops.secrets.wg-home-private-key.path; enable = true;
ips = [ "${cfg.address}/24" ]; netdevs = {
listenPort = if enableServer then 51820 else null; wg-home = {
peers = netdevConfig = {
Kind = "wireguard";
Name = "wg-home";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
} // (lib.optionalAttrs enableServer {
ListenPort = serverPort;
});
wireguardPeers =
if enableServer if enableServer
then then
map map
(peerConfig: with peerConfig; { (peerConfig: with peerConfig; {
allowedIPs = [ "${address}/32" ]; wireguardPeerConfig = {
inherit publicKey; PublicKey = publicKey;
AllowedIPs = [ "${address}/32" ];
};
}) })
(lib.attrValues (lib.attrValues
(lib.filterAttrs (lib.filterAttrs
@ -68,27 +81,36 @@ in
peers)) peers))
else [ else [
{ {
allowedIPs = [ "10.80.0.0/24" ]; wireguardPeerConfig = {
publicKey = peers."${serverHostName}".publicKey; PublicKey = peers."${serverHostName}".publicKey;
#endpoint = "${serverHostName}.sbruder.de:51820"; # not possible because sadly not all devices have IPv6 connectivity AllowedIPs = [ "10.80.0.0/24" ];
endpoint = "195.201.139.15:51820"; #Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
persistentKeepalive = 25; Endpoint = "195.201.139.15:${toString serverPort}";
PersistentKeepalive = 25;
};
} }
]; ];
}; };
};
networks = {
wg-home = {
name = "wg-home";
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
networkConfig = lib.optionalAttrs enableServer {
IPForward = "ipv4";
};
};
};
};
networking.firewall = { networking.firewall = {
trustedInterfaces = [ "wg-home" ]; trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optionals enableServer [ allowedUDPPorts = lib.optionals enableServer [
51820 serverPort
53 53
]; ];
}; };
boot.kernel.sysctl = lib.optionalAttrs enableServer {
"net.ipv4.ip_forward" = lib.mkOverride 999 1;
};
services.bind = lib.mkIf enableServer { services.bind = lib.mkIf enableServer {
enable = true; enable = true;
zones = lib.singleton { zones = lib.singleton {