# SPDX-FileCopyrightText: 2023 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { lib, config, pkgs, ... }: let serverHostName = "vueko"; port = 51821; peers = { # Key of the server. vueko = { address = "10.80.16.1"; publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU="; }; # Key for all of my hosts. One is enough, because it is only activated on demand. simon = { address = "10.80.16.2"; publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg="; }; # Keys for all hosts that are supported. jane = { address = "10.80.16.3"; publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w="; }; }; in { config = lib.mkIf (config.networking.hostName == serverHostName) { sops.secrets.wg-support-private-key = { sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; }; networking.wireguard.interfaces.wg-support = { privateKeyFile = config.sops.secrets.wg-support-private-key.path; ips = [ "${peers.${serverHostName}.address}/24" ]; listenPort = port; peers = map (peerConfig: with peerConfig; { allowedIPs = [ "${address}/32" ]; inherit publicKey; }) (lib.attrValues (lib.filterAttrs (n: v: n != serverHostName) peers)); }; networking.firewall.allowedUDPPorts = [ port 53 ]; boot.kernel.sysctl = { "net.ipv4.ip_forward" = lib.mkOverride 998 1; }; }; }