wireguard.client.nix (1680B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 cfg = config.services.wireguard; 6 in 7 { 8 options = { 9 services.wireguard = { 10 enable = mkEnableOption "Whether to enable a reverse SSH proxy."; 11 ips = mkOption { 12 type = with types; listOf str; 13 description = '' 14 The client IPs 15 ''; 16 }; 17 allowedIPs = mkOption { 18 default = [ "10.100.0.0/24" ]; 19 type = with types; listOf str; 20 description = '' 21 The peer (server) allowedIPs 22 ''; 23 }; 24 endpoint = mkOption { 25 type = with types; str; 26 description = '' 27 The endpoint IP to target 28 ''; 29 }; 30 endpointPort = mkOption { 31 default = 51820; 32 type = with types; int; 33 description = '' 34 The endpoint Port to target 35 ''; 36 }; 37 endpointPublicKey = mkOption { 38 type = with types; str; 39 description = '' 40 The peer (server) public key 41 ''; 42 }; 43 }; 44 }; 45 config = mkIf cfg.enable { 46 # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; 47 environment.systemPackages = [ pkgs.wireguard-tools ]; 48 networking.firewall.trustedInterfaces = [ "wg0" ]; 49 networking.wireguard.enable = true; 50 networking.wireguard.interfaces = { 51 wg0 = { 52 ips = cfg.ips; 53 privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; 54 peers = [ 55 { 56 publicKey = cfg.endpointPublicKey; 57 allowedIPs = cfg.allowedIPs; 58 endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}"; 59 persistentKeepalive = 25; 60 } 61 ]; 62 }; 63 }; 64 }; 65 }