home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

wireguard.server.nix (1271B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   cfg = config.profiles.wireguard.server;
      6 
      7   secretPath = ../../../secrets/machines.nix;
      8   secretCondition = (builtins.pathExists secretPath);
      9   allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
     10   listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     11   peers = lists.optionals secretCondition (import secretPath).wg.peers;
     12 in
     13 {
     14   options = {
     15     profiles.wireguard.server = {
     16       enable = mkEnableOption "Enable wireguard.server profile";
     17     };
     18   };
     19   config = mkIf cfg.enable {
     20     # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
     21     environment.systemPackages = [ pkgs.wireguard ];
     22     boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
     23     networking.firewall.extraCommands = ''
     24       iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
     25     '';
     26     networking.firewall.allowedUDPPorts = [ 51820 ];
     27     networking.firewall.trustedInterfaces = [ "wg0" ];
     28     networking.wireguard.enable = true;
     29     networking.wireguard.interfaces = {
     30       "wg0" = {
     31         ips = allowedIPs;
     32         listenPort = listenPort;
     33         privateKeyFile = "/etc/nixos/secrets/wireguard/private.key";
     34         peers = peers;
     35       };
     36     };
     37   };
     38 }