{ self, lib, config, ... }: let inherit (lib.modules) mkIf; inherit (lib.lists) filter; inherit (builtins) hasAttr attrNames; # Assume this to be set secrets = config.services.secrets.secrets; wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; wireguardHosts = wireguardData.hosts; currentHostName = config.networking.hostName; currentHostConfig = wireguardHosts.${currentHostName}; in { networking.firewall = { trustedInterfaces = [ "wg0" ]; allowPing = true; allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [ currentHostConfig.listenPort ]; }; systemd.services.wireguard-debug = { wantedBy = ["multi-user.target"]; script = '' echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control ''; }; networking.wg-quick.interfaces = { wg0 = { address = ["${currentHostConfig.ip}/24"]; privateKeyFile = "${secrets.wg_private.path}"; listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort; peers = map ( hostName: let host = wireguardHosts.${hostName}; in { allowedIPs = host.allowedIPs or ["${host.ip}/32"]; publicKey = host.public; endpoint = host.endpoint or null; } ) (filter ( hostName: hostName != currentHostName ) (attrNames wireguardHosts)); }; }; }