80 lines
2.2 KiB
Nix
80 lines
2.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
vars = import ./vars.nix;
|
|
wg0 = vars.ifs.wg0;
|
|
|
|
peerIps = ifObj: token: [
|
|
"${ifObj.p4}.${toString token}/32"
|
|
"${ifObj.p6}:${toString token}:0/112"
|
|
"${ifObj.ulaPrefix}:${toString token}:0/112"
|
|
];
|
|
|
|
mkWg0Peer = token: publickey: {
|
|
allowedIPs = peerIps wg0 token;
|
|
inherit publickey;
|
|
pskEnabled = true;
|
|
};
|
|
|
|
wg0Peers = {
|
|
"Yura-TPX13" = {
|
|
allowedIPs = peerIps wg0 3;
|
|
publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
|
|
pskEnabled = true;
|
|
};
|
|
"Yura-Pixel7Pro" = {
|
|
allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
|
|
publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
|
|
pskEnabled = true;
|
|
};
|
|
"AsusS513" = {
|
|
allowedIPs = [ "${wg0.p4}.100/32" ];
|
|
publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
|
|
pskEnabled = false;
|
|
};
|
|
};
|
|
peerSecretName = name: "wg0-peer-${name}-psk";
|
|
secrets = config.secrix.services.systemd-networkd.secrets;
|
|
in
|
|
{
|
|
secrix.services.systemd-networkd.secrets = let
|
|
pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
|
|
mapPeer = name: peer: {
|
|
name = peerSecretName name;
|
|
value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
|
|
};
|
|
peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
|
|
in
|
|
{
|
|
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
|
|
} // peerSecrets;
|
|
|
|
systemd.network.netdevs = {
|
|
"10-wg0" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg0";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
|
|
ListenPort = 18596;
|
|
};
|
|
wireguardPeers = map (peer: {
|
|
AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
|
|
PublicKey = peer.value.publicKey;
|
|
PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
|
|
}) (lib.attrsToList wg0Peers);
|
|
};
|
|
};
|
|
|
|
systemd.network.networks = {
|
|
"10-wg0" = {
|
|
matchConfig.Name = "wg0";
|
|
networkConfig = {
|
|
IPv4Forwarding = true;
|
|
IPv6SendRA = false;
|
|
Address = [ wg0.addr4Sized wg0.addr6Sized wg0.ulaAddrSized ];
|
|
};
|
|
};
|
|
};
|
|
}
|