wireguard/home: Switch to systemd-networkd
This commit is contained in:
parent
642d97cb52
commit
4d93272cb0
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, machines, pkgs, ... }:
|
||||
let
|
||||
serverHostName = "vueko";
|
||||
serverPort = 51820;
|
||||
peers = {
|
||||
hitagi = {
|
||||
address = "10.80.0.5";
|
||||
|
@ -45,22 +46,34 @@ in
|
|||
|
||||
config = lib.mkIf cfg.enable {
|
||||
sops.secrets.wg-home-private-key = {
|
||||
owner = config.users.users.systemd-network.name;
|
||||
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
||||
};
|
||||
|
||||
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
|
||||
|
||||
networking.wireguard.interfaces.wg-home = {
|
||||
privateKeyFile = config.sops.secrets.wg-home-private-key.path;
|
||||
ips = [ "${cfg.address}/24" ];
|
||||
listenPort = if enableServer then 51820 else null;
|
||||
peers =
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs = {
|
||||
wg-home = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg-home";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
|
||||
} // (lib.optionalAttrs enableServer {
|
||||
ListenPort = serverPort;
|
||||
});
|
||||
wireguardPeers =
|
||||
if enableServer
|
||||
then
|
||||
map
|
||||
(peerConfig: with peerConfig; {
|
||||
allowedIPs = [ "${address}/32" ];
|
||||
inherit publicKey;
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = publicKey;
|
||||
AllowedIPs = [ "${address}/32" ];
|
||||
};
|
||||
})
|
||||
(lib.attrValues
|
||||
(lib.filterAttrs
|
||||
|
@ -68,27 +81,36 @@ in
|
|||
peers))
|
||||
else [
|
||||
{
|
||||
allowedIPs = [ "10.80.0.0/24" ];
|
||||
publicKey = peers."${serverHostName}".publicKey;
|
||||
#endpoint = "${serverHostName}.sbruder.de:51820"; # not possible because sadly not all devices have IPv6 connectivity
|
||||
endpoint = "195.201.139.15:51820";
|
||||
persistentKeepalive = 25;
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = peers."${serverHostName}".publicKey;
|
||||
AllowedIPs = [ "10.80.0.0/24" ];
|
||||
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
|
||||
Endpoint = "195.201.139.15:${toString serverPort}";
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
wg-home = {
|
||||
name = "wg-home";
|
||||
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
|
||||
networkConfig = lib.optionalAttrs enableServer {
|
||||
IPForward = "ipv4";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "wg-home" ];
|
||||
allowedUDPPorts = lib.optionals enableServer [
|
||||
51820
|
||||
serverPort
|
||||
53
|
||||
];
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = lib.optionalAttrs enableServer {
|
||||
"net.ipv4.ip_forward" = lib.mkOverride 999 1;
|
||||
};
|
||||
|
||||
services.bind = lib.mkIf enableServer {
|
||||
enable = true;
|
||||
zones = lib.singleton {
|
||||
|
|
Loading…
Reference in a new issue