wireguard.server.nix (1271B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 cfg = config.profiles.wireguard.server; 6 7 secretPath = ../../../secrets/machines.nix; 8 secretCondition = (builtins.pathExists secretPath); 9 allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; 10 listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; 11 peers = lists.optionals secretCondition (import secretPath).wg.peers; 12 in 13 { 14 options = { 15 profiles.wireguard.server = { 16 enable = mkEnableOption "Enable wireguard.server profile"; 17 }; 18 }; 19 config = mkIf cfg.enable { 20 # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; 21 environment.systemPackages = [ pkgs.wireguard ]; 22 boot.kernel.sysctl."net.ipv4.ip_forward" = 1; 23 networking.firewall.extraCommands = '' 24 iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE 25 ''; 26 networking.firewall.allowedUDPPorts = [ 51820 ]; 27 networking.firewall.trustedInterfaces = [ "wg0" ]; 28 networking.wireguard.enable = true; 29 networking.wireguard.interfaces = { 30 "wg0" = { 31 ips = allowedIPs; 32 listenPort = listenPort; 33 privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; 34 peers = peers; 35 }; 36 }; 37 }; 38 }