nixos-config/modules/wireguard/home.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

152 lines
4.4 KiB
Nix

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, config, pkgs, ... }:
let
serverHostName = "vueko";
serverPort = 51820;
subnet = "10.80.0.0/24";
peers = {
hitagi = {
address = "10.80.0.5";
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
};
vueko = {
address = "10.80.0.6";
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
};
fuuko = {
address = "10.80.0.7";
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
};
mayushii = {
address = "10.80.0.9";
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
};
renge = {
address = "10.80.0.15";
publicKey = "/kdCL7MZxuXaEjnN5s5j5GaVlufIeJ890r9xPZbsElQ=";
};
nunotaba = {
address = "10.80.0.4";
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
};
okarin = {
address = "10.80.0.10";
publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
};
shinobu = {
address = "10.80.0.12";
publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
};
nazuna = {
address = "10.80.0.13";
publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
};
yuzuru = {
address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
};
};
cfg = config.sbruder.wireguard.home;
enableServer = config.networking.hostName == serverHostName;
in
{
options = {
sbruder.wireguard.home = {
enable = lib.mkEnableOption "WireGuard tunnel wg-home";
address = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
};
subnet = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
};
};
};
config = lib.mkIf cfg.enable {
sops.secrets.wg-home-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
};
sbruder.wireguard.home = {
address = peers."${config.networking.hostName}".address;
inherit subnet;
};
systemd.network = {
enable = true;
netdevs = {
wg-home = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-home";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
} // (lib.optionalAttrs enableServer {
ListenPort = serverPort;
});
wireguardPeers =
if enableServer
then
map
(peerConfig: with peerConfig; {
wireguardPeerConfig = {
PublicKey = publicKey;
AllowedIPs = [ "${address}/32" ];
};
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{
wireguardPeerConfig = {
PublicKey = peers."${serverHostName}".publicKey;
AllowedIPs = [ subnet ];
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
Endpoint = "168.119.176.53:${toString serverPort}";
PersistentKeepalive = 25;
};
}
];
};
};
networks = {
wg-home = {
name = "wg-home";
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
networkConfig = lib.optionalAttrs enableServer {
IPForward = "ipv4";
};
};
};
};
networking.firewall = {
trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optional enableServer serverPort;
};
sbruder.knot.generated-zones."vpn.sbruder.de" = pkgs.writeText "vpn.sbruder.de.zone" (''
; having $ORIGIN set here fails
@ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. 1 86400 10800 3600000 3600
@ IN NS ${serverHostName}.sbruder.de.
'' + lib.concatStrings
(lib.mapAttrsToList
(peer: peerConfig: ''
${peer} IN A ${peerConfig.address}
'')
peers));
};
}