58 lines
1.5 KiB
Nix
58 lines
1.5 KiB
Nix
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ lib, config, pkgs, ... }:
|
|
let
|
|
serverHostName = "vueko";
|
|
port = 51821;
|
|
peers = {
|
|
# Key of the server.
|
|
vueko = {
|
|
address = "10.80.16.1";
|
|
publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
|
|
};
|
|
# Key for all of my hosts. One is enough, because it is only activated on demand.
|
|
simon = {
|
|
address = "10.80.16.2";
|
|
publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
|
|
};
|
|
# Keys for all hosts that are supported.
|
|
jane = {
|
|
address = "10.80.16.3";
|
|
publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
|
|
};
|
|
};
|
|
in
|
|
{
|
|
config = lib.mkIf (config.networking.hostName == serverHostName) {
|
|
sops.secrets.wg-support-private-key = {
|
|
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
|
};
|
|
|
|
networking.wireguard.interfaces.wg-support = {
|
|
privateKeyFile = config.sops.secrets.wg-support-private-key.path;
|
|
ips = [ "${peers.${serverHostName}.address}/24" ];
|
|
listenPort = port;
|
|
peers = map
|
|
(peerConfig: with peerConfig; {
|
|
allowedIPs = [ "${address}/32" ];
|
|
inherit publicKey;
|
|
})
|
|
(lib.attrValues
|
|
(lib.filterAttrs
|
|
(n: v: n != serverHostName)
|
|
peers));
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
port
|
|
53
|
|
];
|
|
|
|
boot.kernel.sysctl = {
|
|
"net.ipv4.ip_forward" = lib.mkOverride 998 1;
|
|
};
|
|
};
|
|
}
|