home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

wireguard.client.nix (1680B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   cfg = config.services.wireguard;
      6 in
      7 {
      8   options = {
      9     services.wireguard = {
     10       enable = mkEnableOption "Whether to enable a reverse SSH proxy.";
     11       ips = mkOption {
     12         type = with types; listOf str;
     13         description = ''
     14           The client IPs
     15         '';
     16       };
     17       allowedIPs = mkOption {
     18         default = [ "10.100.0.0/24" ];
     19         type = with types; listOf str;
     20         description = ''
     21           The peer (server) allowedIPs
     22         '';
     23       };
     24       endpoint = mkOption {
     25         type = with types; str;
     26         description = ''
     27           The endpoint IP to target
     28         '';
     29       };
     30       endpointPort = mkOption {
     31         default = 51820;
     32         type = with types; int;
     33         description = ''
     34           The endpoint Port to target
     35         '';
     36       };
     37       endpointPublicKey = mkOption {
     38         type = with types; str;
     39         description = ''
     40           The peer (server) public key
     41         '';
     42       };
     43     };
     44   };
     45   config = mkIf cfg.enable {
     46     # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
     47     environment.systemPackages = [ pkgs.wireguard-tools ];
     48     networking.firewall.trustedInterfaces = [ "wg0" ];
     49     networking.wireguard.enable = true;
     50     networking.wireguard.interfaces = {
     51       wg0 = {
     52         ips = cfg.ips;
     53         privateKeyFile = "/etc/nixos/secrets/wireguard/private.key";
     54         peers = [
     55           {
     56             publicKey = cfg.endpointPublicKey;
     57             allowedIPs = cfg.allowedIPs;
     58             endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
     59             persistentKeepalive = 25;
     60           }
     61         ];
     62       };
     63     };
     64   };
     65 }