nixos-config/modules/wireguard/support.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

58 lines
1.5 KiB
Nix

# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, config, pkgs, ... }:
let
serverHostName = "vueko";
port = 51821;
peers = {
# Key of the server.
vueko = {
address = "10.80.16.1";
publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
};
# Key for all of my hosts. One is enough, because it is only activated on demand.
simon = {
address = "10.80.16.2";
publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
};
# Keys for all hosts that are supported.
jane = {
address = "10.80.16.3";
publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
};
};
in
{
config = lib.mkIf (config.networking.hostName == serverHostName) {
sops.secrets.wg-support-private-key = {
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
};
networking.wireguard.interfaces.wg-support = {
privateKeyFile = config.sops.secrets.wg-support-private-key.path;
ips = [ "${peers.${serverHostName}.address}/24" ];
listenPort = port;
peers = map
(peerConfig: with peerConfig; {
allowedIPs = [ "${address}/32" ];
inherit publicKey;
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != serverHostName)
peers));
};
networking.firewall.allowedUDPPorts = [
port
53
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = lib.mkOverride 998 1;
};
};
}