From bab6c5e5dc36cd599919471bd8b1a2971a3e10d0 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Tue, 31 Aug 2021 11:20:06 +0200
Subject: [PATCH] wireguard/home: Use peer-to-peer connections if possible

---
 modules/wireguard/home.nix | 39 +++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix
index 1c3cc48..9977a93 100644
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@@ -5,23 +5,28 @@ let
     nunotaba = {
       address = "10.80.0.4";
       publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
+      public = false;
     };
     sayuri = {
       address = "10.80.0.5";
       publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
+      public = false;
     };
     vueko = {
       address = "10.80.0.6";
       publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
+      public = false;
     };
     fuuko = {
       address = "10.80.0.7";
       publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
+      public = true;
     };
   };
 
   cfg = config.sbruder.wireguard.home;
   enableServer = config.networking.hostName == serverHostName;
+  isPublic = peers.${config.networking.hostName}.public; # publicly reachable
 in
 {
   options = {
@@ -45,35 +50,31 @@ in
     networking.wireguard.interfaces.wg-home = {
       privateKeyFile = config.sops.secrets.wg-home-private-key.path;
       ips = [ "${cfg.address}/24" ];
-      listenPort = if enableServer then 51820 else null;
+      listenPort = if enableServer || isPublic then 51820 else null;
       peers =
-        if enableServer
-        then
-          map
-            (peerConfig: with peerConfig; {
-              allowedIPs = [ "${address}/32" ];
-              inherit publicKey;
-            })
-            (lib.attrValues
-              (lib.filterAttrs
-                (n: v: n != config.networking.hostName)
-                peers))
-        else [
+        # fallback/central server for clients that are not publicly reachable
+        lib.optional (!enableServer)
           {
             allowedIPs = [ "10.80.0.0/24" ];
             publicKey = peers."${serverHostName}".publicKey;
             endpoint = "${serverHostName}.sbruder.de:51820";
             persistentKeepalive = 25;
-          }
-        ];
+          } ++ (lib.mapAttrsToList
+          (hostname: peerConfig: with peerConfig; {
+            allowedIPs = [ "${address}/32" ];
+            inherit publicKey;
+          } // (lib.optionalAttrs (public && !enableServer) {
+            endpoint = "${hostname}.sbruder.de:51820";
+          }))
+          (lib.filterAttrs
+            (n: v: n != config.networking.hostName && (enableServer || v.public))
+            peers));
     };
 
     networking.firewall = {
       trustedInterfaces = [ "wg-home" ];
-      allowedUDPPorts = lib.optionals enableServer [
-        51820
-        53
-      ];
+      allowedUDPPorts = lib.optional (isPublic || enableServer) 51820
+        ++ lib.optional enableServer 53;
     };
 
     boot.kernel.sysctl = lib.optionalAttrs enableServer {