58 lines
1.8 KiB
Nix
58 lines
1.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
vars = import ./vars.nix;
|
|
|
|
wg0Peers = [
|
|
{
|
|
name = "Yura-TPX13";
|
|
allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
|
|
publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
|
|
pskEnabled = true;
|
|
}
|
|
{
|
|
name = "Yura-Pixel7Pro";
|
|
allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
|
|
publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
|
|
pskEnabled = true;
|
|
}
|
|
{
|
|
name = "AsusS513";
|
|
allowedIPs = [ "10.6.0.100/32" ];
|
|
publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
|
|
pskEnabled = true;
|
|
}
|
|
];
|
|
in
|
|
{
|
|
secrix.services.systemd-networkd.secrets = let
|
|
pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
|
|
peerToSecretAttrs = peer: {
|
|
name = "wg0-peer-${peer.name}-psk";
|
|
value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age;
|
|
};
|
|
peerSecretsList = map peerToSecretAttrs pskEnabledPeers;
|
|
peerSecrets = builtins.listToAttrs peerSecretsList;
|
|
in
|
|
{
|
|
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
|
|
} // peerSecrets;
|
|
|
|
systemd.network.netdevs = {
|
|
"10-wg0" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg0";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path;
|
|
ListenPort = 18596;
|
|
};
|
|
wireguardPeers = map (peer: {
|
|
AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs;
|
|
PublicKey = peer.publicKey;
|
|
PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
|
|
}) wg0Peers;
|
|
};
|
|
};
|
|
}
|