Simon Bruder
f945341668
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
58 lines
1.5 KiB
Nix
58 lines
1.5 KiB
Nix
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ lib, config, pkgs, ... }:
|
|
let
|
|
serverHostName = "vueko";
|
|
port = 51821;
|
|
peers = {
|
|
# Key of the server.
|
|
vueko = {
|
|
address = "10.80.16.1";
|
|
publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
|
|
};
|
|
# Key for all of my hosts. One is enough, because it is only activated on demand.
|
|
simon = {
|
|
address = "10.80.16.2";
|
|
publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
|
|
};
|
|
# Keys for all hosts that are supported.
|
|
jane = {
|
|
address = "10.80.16.3";
|
|
publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
|
|
};
|
|
};
|
|
in
|
|
{
|
|
config = lib.mkIf (config.networking.hostName == serverHostName) {
|
|
sops.secrets.wg-support-private-key = {
|
|
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
|
};
|
|
|
|
networking.wireguard.interfaces.wg-support = {
|
|
privateKeyFile = config.sops.secrets.wg-support-private-key.path;
|
|
ips = [ "${peers.${serverHostName}.address}/24" ];
|
|
listenPort = port;
|
|
peers = map
|
|
(peerConfig: with peerConfig; {
|
|
allowedIPs = [ "${address}/32" ];
|
|
inherit publicKey;
|
|
})
|
|
(lib.attrValues
|
|
(lib.filterAttrs
|
|
(n: v: n != serverHostName)
|
|
peers));
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
port
|
|
53
|
|
];
|
|
|
|
boot.kernel.sysctl = {
|
|
"net.ipv4.ip_forward" = lib.mkOverride 998 1;
|
|
};
|
|
};
|
|
}
|