wireguard.server.nix (1336B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 cfg = config.modules.services.wireguard.server; 6 7 secretPath = ../../../secrets/machines.nix; 8 secretCondition = (builtins.pathExists secretPath); 9 allowedIPs = lists.optionals secretCondition (import secretPath).wireguard.kerkouane.allowedIPs; 10 listenPort = if secretCondition then (import secretPath).wg.listenPort else 0; 11 peers = lists.optionals secretCondition (import secretPath).wg.peers; 12 in 13 { 14 options = { 15 modules.services.wireguard.server = { 16 enable = mkEnableOption "Enable wireguard.server profile"; 17 }; 18 }; 19 config = mkIf cfg.enable { 20 # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; 21 environment.systemPackages = [ pkgs.wireguard-tools ]; 22 boot.kernel.sysctl."net.ipv4.ip_forward" = 1; 23 networking.firewall.extraCommands = '' 24 iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE 25 iptables -A FORWARD -i wg+ -j ACCEPT 26 ''; 27 networking.firewall.allowedUDPPorts = [ 51820 ]; 28 networking.firewall.trustedInterfaces = [ "wg0" ]; 29 networking.wireguard.enable = true; 30 networking.wireguard.interfaces = { 31 "wg0" = { 32 ips = allowedIPs; 33 listenPort = listenPort; 34 privateKeyFile = "/etc/nixos/secrets/wireguard/private.key"; 35 peers = peers; 36 }; 37 }; 38 }; 39 }