{ lib, config, pkgs, ... }: let serverHostName = "vueko"; port = 51821; peers = { # Key of the server. vueko = { address = "10.80.16.1"; publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU="; }; # Key for all of my hosts. One is enough, because it is only activated on demand. simon = { address = "10.80.16.2"; publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg="; }; # Keys for all hosts that are supported. jane = { address = "10.80.16.3"; publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w="; }; }; in { config = lib.mkIf (config.networking.hostName == serverHostName) { sops.secrets.wg-support-private-key = { sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; }; networking.wireguard.interfaces.wg-support = { privateKeyFile = config.sops.secrets.wg-support-private-key.path; ips = [ "${peers.${serverHostName}.address}/24" ]; listenPort = port; peers = map (peerConfig: with peerConfig; { allowedIPs = [ "${address}/32" ]; inherit publicKey; }) (lib.attrValues (lib.filterAttrs (n: v: n != serverHostName) peers)); }; networking.firewall.allowedUDPPorts = [ port 53 ]; boot.kernel.sysctl = { "net.ipv4.ip_forward" = lib.mkOverride 998 1; }; services.bind = { enable = true; zones = lib.singleton { name = "support.vpn.sbruder.de"; master = true; file = let # !!! very hacky hexStringToInt = hex: (builtins.fromTOML "int = 0x${hex}").int; peerRecords = lib.concatStrings (lib.mapAttrsToList (peer: peerConfig: '' ${peer} IN A ${peerConfig.address} '') peers); peerRecordsHash = builtins.hashString "sha256" peerRecords; serial = hexStringToInt (lib.substring 0 8 peerRecordsHash); in pkgs.writeText "support.vpn.sbruder.de.zone" ('' $TTL 3600 @ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. ${toString serial} 28800 3600 604800 3600 @ IN NS ${serverHostName}.sbruder.de. '' + peerRecords); }; }; }; }