2023-09-16 16:06:16 +01:00
|
|
|
{
|
2023-09-18 03:56:58 +01:00
|
|
|
self,
|
2023-09-16 16:06:16 +01:00
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit (lib.modules) mkIf;
|
2023-09-18 15:40:33 +01:00
|
|
|
inherit (lib.lists) filter;
|
|
|
|
inherit (builtins) hasAttr attrNames;
|
2023-09-16 16:06:16 +01:00
|
|
|
|
|
|
|
# Assume this to be set
|
|
|
|
secrets = config.services.secrets.secrets;
|
|
|
|
|
2023-09-18 03:56:58 +01:00
|
|
|
wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
|
|
|
|
wireguardHosts = wireguardData.hosts;
|
2023-09-16 16:06:16 +01:00
|
|
|
|
|
|
|
currentHostName = config.networking.hostName;
|
2023-09-18 03:56:58 +01:00
|
|
|
currentHostConfig = wireguardHosts.${currentHostName};
|
2023-09-16 16:06:16 +01:00
|
|
|
in {
|
2023-09-18 03:56:58 +01:00
|
|
|
networking.firewall.trustedInterfaces = ["wg0"];
|
2023-09-16 16:06:16 +01:00
|
|
|
networking.firewall.allowPing = true;
|
|
|
|
networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
|
|
|
|
|
|
|
|
systemd.services.wireguard-debug = {
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
partOf = ["wg-quick-wg0.service"];
|
|
|
|
script = ''
|
|
|
|
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.wg-quick.interfaces = {
|
|
|
|
wg0 = {
|
|
|
|
address = ["${currentHostConfig.ip}/24"];
|
2023-09-18 15:40:33 +01:00
|
|
|
privateKeyFile = "${secrets.wg_private.path}";
|
2023-09-16 16:06:16 +01:00
|
|
|
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
|
|
|
|
|
2023-09-18 15:40:33 +01:00
|
|
|
peers = (map (
|
|
|
|
hostName: let
|
|
|
|
host = wireguardHosts.${hostName};
|
|
|
|
in {
|
|
|
|
allowedIPs = ["${host.ip}/32"];
|
|
|
|
publicKey = host.public;
|
|
|
|
endpoint = host.endpoint or null;
|
|
|
|
}
|
|
|
|
) (filter (
|
|
|
|
hostName: hostName != currentHostName
|
|
|
|
) (attrNames wireguardHosts)));
|
2023-09-16 16:06:16 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|