diff options
Diffstat (limited to 'modules/wireguard/default.nix')
| -rw-r--r-- | modules/wireguard/default.nix | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix new file mode 100644 index 0000000..c9fc063 --- /dev/null +++ b/modules/wireguard/default.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, nodes, builtins, ... }: + +with lib; { + imports = [ ./options.nix ./roaming.nix ]; + + config = mkIf config.wireguard.enable (let + cfg = config.wireguard; + + peers = let + attrPeers = mapAttrs (n: node: + let peer = node.config.wireguard; + in { + endpoint = + "${node.config.deployment.targetHost}:${toString peer.port}"; + publicKey = peer.publicKey; + persistentKeepalive = 25; + allowedIPs = [ + "${peer.v4.address}/32" + "${peer.v6.ula}::${peer.v6.address}/128" + "${peer.v6.gua}::${peer.v6.address}/128" + ] ++ peer.allowedIPs; + }) (filterAttrs (n: node: node.config.wireguard.enable) nodes); + peers = attrValues attrPeers; + in peers; + in { + secrets = mkIf config.wireguard.enable { + wireguard = { + source = ../../secrets + + ("/" + "${config.networking.hostName}.privkey"); + dest = "/root/wireguard/privkey"; + }; + }; + + networking.wireguard.interfaces = mkIf config.wireguard.enable { + wg0 = with { ifname = "wg0"; }; { + ips = [ + "${cfg.v4.address}/${toString cfg.v4.prefixLength}" + "${cfg.v6.ula}::${cfg.v6.address}/128" + "${cfg.v6.gua}::${cfg.v6.address}/128" + ]; + listenPort = cfg.port; + postSetup = '' + ${pkgs.nftables}/bin/nft add table ${ifname} + ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }' + ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }' + ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ + toString cfg.v4.prefixLength + } oif ${cfg.natInterface} masquerade + + ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on + ''; + postShutdown = '' + ${pkgs.nftables}/bin/nft flush table ${ifname} + ${pkgs.nftables}/bin/nft delete table ${ifname} + ''; + privateKeyFile = "/root/wireguard/privkey"; + peers = peers; + }; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkDefault true; + "net.ipv6.conf.all.forwarding" = true; + "net.netfilter.nf_conntrack_tcp_be_liberal" = true; + }; + }); +} |