feat(wg): add mesh tunneling to devices & routers

2026-02-04 17:59:57 -08:00
parent 63f9d3418c
commit c85cf06186
4 changed files with 90 additions and 0 deletions
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -22,5 +22,6 @@
    ./mounts.nix
    ./nfs-mesh.nix
    ./rust.nix
+    ./networking/wireguard-mesh.nix
  ];
 }
--- a/nix/modules/networking/wireguard-mesh.nix
+++ b/nix/modules/networking/wireguard-mesh.nix
@@ -0,0 +1,77 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  meshHosts = {
+    kumatani = {
+      address = "kumatani";
+      publicKey = "pKkl30tba29FG86wuaC0KrpSHMr1tSOujikHFbx75BM=";
+      isRouter = false;
+      ip = "10.100.0.1";
+    };
+    usahara = {
+      address = "usahara";
+      publicKey = "4v7GyAIsKfwWjLMVB4eoosJDvLkIDHW0KsEYoQqSnh4=";
+      isRouter = false;
+      ip = "10.100.0.2";
+    };
+    tux = {
+      address = "tux";
+      publicKey = "TUX_PUBLIC_KEY_HERE=";
+      isRouter = false;
+      ip = "10.100.0.3";
+    };
+    oakbay-pfsense = {
+      endpoint = "oakbay.lucalise.ca:51822";
+      publicKey = "xOTPZBIC9m1BkkiLCOUTty3b7/NOvslteVQHzEFxqWQ=";
+      isRouter = true;
+      ip = "10.100.0.250";
+      routes = [
+        "192.168.15.0/27"
+        "192.168.20.0/26"
+        "192.168.27.0/24"
+      ];
+    };
+  };
+
+  getEndpoint =
+    name: host:
+    if host.isRouter or false then "${host.endpoint}" else "${host.address}:${toString 51820}";
+
+  mkPeer = name: host: {
+    publicKey = host.publicKey;
+    allowedIPs = [ "${host.ip}/32" ] ++ (host.routes or [ ]);
+    endpoint = getEndpoint name host;
+    persistentKeepalive = 25;
+    dynamicEndpointRefreshSeconds = 300;
+  };
+
+  mkPeersFor =
+    selfName: lib.mapAttrsToList mkPeer (lib.filterAttrs (name: _: name != selfName) meshHosts);
+
+  selfConfig = meshHosts.${config.networking.hostName} or null;
+in
+{
+  config = lib.mkIf (selfConfig != null) {
+    networking.wireguard.interfaces = {
+      wg0 = {
+        privateKeyFile = "/etc/wireguard/private.key";
+        ips = [ "${selfConfig.ip}/32" ];
+        listenPort = 51820;
+        peers = mkPeersFor config.networking.hostName;
+      };
+    };
+
+    networking.firewall = {
+      allowedUDPPorts = [ 51820 ];
+      trustedInterfaces = [ "wg0" ];
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /etc/wireguard 0700 root root -"
+    ];
+  };
+}