nixos-config/modules/wireguard/home.nix

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ lib, config, pkgs, ... }:
let
  serverHostName = "vueko";
  serverPort = 51820;
  subnet = "10.80.0.0/24";
  peers = {
    hitagi = {
      address = "10.80.0.5";
      publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
    };
    vueko = {
      address = "10.80.0.6";
      publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
    };
    fuuko = {
      address = "10.80.0.7";
      publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
    };
    mayushii = {
      address = "10.80.0.9";
      publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
    };
    renge = {
      address = "10.80.0.15";
      publicKey = "/kdCL7MZxuXaEjnN5s5j5GaVlufIeJ890r9xPZbsElQ=";
    };
    nunotaba = {
      address = "10.80.0.4";
      publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
    };
    okarin = {
      address = "10.80.0.14";
      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
    };
    shinobu = {
      address = "10.80.0.12";
      publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
    };
    nazuna = {
      address = "10.80.0.13";
      publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
    };
    yuzuru = {
      address = "10.80.0.16";
      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
    };
  };

  cfg = config.sbruder.wireguard.home;
  enableServer = config.networking.hostName == serverHostName;
in
{
  options = {
    sbruder.wireguard.home = {
      enable = lib.mkEnableOption "WireGuard tunnel wg-home";
      address = lib.mkOption {
        type = lib.types.str;
        visible = false;
        readOnly = true;
      };
      subnet = lib.mkOption {
        type = lib.types.str;
        visible = false;
        readOnly = true;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    sops.secrets.wg-home-private-key = {
      owner = config.users.users.systemd-network.name;
      sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
    };

    sbruder.wireguard.home = {
      address = peers."${config.networking.hostName}".address;
      inherit subnet;
    };

    systemd.network = {
      enable = true;
      netdevs = {
        wg-home = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-home";
          };
          wireguardConfig = {
            PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
          } // (lib.optionalAttrs enableServer {
            ListenPort = serverPort;
          });
          wireguardPeers =
            if enableServer
            then
              map
                (peerConfig: with peerConfig; {
                  wireguardPeerConfig = {
                    PublicKey = publicKey;
                    AllowedIPs = [ "${address}/32" ];
                  };
                })
                (lib.attrValues
                  (lib.filterAttrs
                    (n: v: n != config.networking.hostName)
                    peers))
            else [
              {
                wireguardPeerConfig = {
                  PublicKey = peers."${serverHostName}".publicKey;
                  AllowedIPs = [ subnet ];
                  #Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
                  Endpoint = "168.119.176.53:${toString serverPort}";
                  PersistentKeepalive = 25;
                };
              }
            ];
        };
      };
      networks = {
        wg-home = {
          name = "wg-home";
          address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
          networkConfig = lib.optionalAttrs enableServer {
            IPForward = "ipv4";
          };
        };
      };
    };

    networking.firewall = {
      trustedInterfaces = [ "wg-home" ];
      allowedUDPPorts = lib.optional enableServer serverPort;
    };

    sbruder.knot.generated-zones."vpn.sbruder.de" = pkgs.writeText "vpn.sbruder.de.zone" (''
      ; having $ORIGIN set here fails
      @ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. 1 86400 10800 3600000 3600
      @ IN NS ${serverHostName}.sbruder.de.
    '' + lib.concatStrings
      (lib.mapAttrsToList
        (peer: peerConfig: ''
          ${peer} IN A ${peerConfig.address}
        '')
        peers));
  };
}