65 lines
1.8 KiB
Nix
65 lines
1.8 KiB
Nix
{
|
|
self,
|
|
lib,
|
|
config,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf;
|
|
inherit (builtins) hasAttr;
|
|
|
|
# Assume this to be set
|
|
secrets = config.services.secrets.secrets;
|
|
|
|
wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
|
|
wireguardHosts = wireguardData.hosts;
|
|
|
|
currentHostName = config.networking.hostName;
|
|
currentHostConfig = wireguardHosts.${currentHostName};
|
|
in {
|
|
networking.firewall.trustedInterfaces = ["wg0"];
|
|
networking.firewall.allowPing = true;
|
|
networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
|
|
|
|
systemd.services.wireguard-debug = {
|
|
wantedBy = ["multi-user.target"];
|
|
partOf = ["wg-quick-wg0.service"];
|
|
script = ''
|
|
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
|
|
'';
|
|
};
|
|
|
|
networking.wg-quick.interfaces = {
|
|
wg0 = {
|
|
address = ["${currentHostConfig.ip}/24"];
|
|
privateKeyFile = "${secrets.wg_priv.path}";
|
|
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
|
|
|
|
peers = [
|
|
# hetzner-vm
|
|
(mkIf (currentHostName != "hetzner-vm") (let
|
|
host = wireguardHosts."hetzner-vm";
|
|
in {
|
|
allowedIPs = ["${host.ip}/32"];
|
|
publicKey = host.public;
|
|
endpoint = host.endpoint or null;
|
|
}))
|
|
# vault
|
|
(mkIf (currentHostName != "vault") (let
|
|
host = wireguardHosts."vault";
|
|
in {
|
|
allowedIPs = ["${host.ip}/32"];
|
|
publicKey = host.public;
|
|
endpoint = host.endpoint or null;
|
|
}))
|
|
(mkIf (currentHostName != "raspberry") (let
|
|
host = wireguardHosts."raspberry";
|
|
in {
|
|
allowedIPs = ["${host.ip}/32"];
|
|
publicKey = host.public;
|
|
endpoint = host.endpoint or null;
|
|
}))
|
|
];
|
|
};
|
|
};
|
|
}
|