hyl.st
nix config
1{ config, lib, pkgs, ... }:
2with lib;
3let
4 cfg = config.mossnet.wg;
5in
6{
7 options = {
8 mossnet.wg = {
9 enable = mkEnableOption "Gain access to all mossnet systems through wireguard";
10 ips = lib.mkOption {
11 type = with types; listOf str;
12 default = { };
13 example = literalExample ''
14 [ "10.0.69.2/24" ];
15 '';
16 description = ''
17 The IP this machine is allowed to connect to
18 '';
19 };
20 privateKeyFile = lib.mkOption {
21 type = types.path;
22 default = { };
23 example = literalExample ''
24 /run/agenix/wg-curve
25 '';
26 description = ''
27 The private ssh key file to use to connect!
28 Remember set age.secrets.*.file and age.secrets.*.user
29 '';
30 };
31 };
32 };
33 config = mkIf cfg.enable {
34 networking.firewall.allowedUDPPorts = [ 60990 ];
35 networking.wireguard.interfaces = {
36 wg0 = {
37 ips = cfg.ips;
38 listenPort = 60990; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
39
40 privateKeyFile = cfg.privateKeyFile;
41 peers = [
42 # For a client configuration, one peer entry for the server will suffice.
43 {
44 publicKey = "c1J4p63rD3IlszugMZiki7UBV3YmDdqa3DU4UejXzAI=";
45 allowedIPs = [ "10.0.69.0/24" ];
46 # Set this to the server IP and port.
47 endpoint = "sealight.xyz:60990"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
48 persistentKeepalive = 25;
49 }
50 ];
51 };
52 };
53 };
54}