home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

wireguard.server.nix (1336B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   cfg = config.modules.services.wireguard.server;
      6 
      7   secretPath = ../../../secrets/machines.nix;
      8   secretCondition = (builtins.pathExists secretPath);
      9   allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs;
     10   listenPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     11   peers = lists.optionals secretCondition (import secretPath).wg.peers;
     12 in
     13 {
     14   options = {
     15     modules.services.wireguard.server = {
     16       enable = mkEnableOption "Enable wireguard.server profile";
     17     };
     18   };
     19   config = mkIf cfg.enable {
     20     # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
     21     environment.systemPackages = [ pkgs.wireguard-tools ];
     22     boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
     23     networking.firewall.extraCommands = ''
     24       iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
     25       iptables -A FORWARD -i wg+ -j ACCEPT
     26     '';
     27     networking.firewall.allowedUDPPorts = [ 51820 ];
     28     networking.firewall.trustedInterfaces = [ "wg0" ];
     29     networking.wireguard.enable = true;
     30     networking.wireguard.interfaces = {
     31       "wg0" = {
     32         ips = allowedIPs;
     33         listenPort = listenPort;
     34         privateKeyFile = "/etc/nixos/secrets/wireguard/private.key";
     35         peers = peers;
     36       };
     37     };
     38   };
     39 }