78 lines
1.8 KiB
Nix
78 lines
1.8 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
meshHosts = {
|
|
kumatani = {
|
|
address = "kumatani";
|
|
publicKey = "pKkl30tba29FG86wuaC0KrpSHMr1tSOujikHFbx75BM=";
|
|
isRouter = false;
|
|
ip = "10.100.0.1";
|
|
};
|
|
usahara = {
|
|
address = "usahara";
|
|
publicKey = "4v7GyAIsKfwWjLMVB4eoosJDvLkIDHW0KsEYoQqSnh4=";
|
|
isRouter = false;
|
|
ip = "10.100.0.2";
|
|
};
|
|
tux = {
|
|
address = "tux";
|
|
publicKey = "TUX_PUBLIC_KEY_HERE=";
|
|
isRouter = false;
|
|
ip = "10.100.0.3";
|
|
};
|
|
oakbay-pfsense = {
|
|
endpoint = "oakbay.lucalise.ca:51822";
|
|
publicKey = "xOTPZBIC9m1BkkiLCOUTty3b7/NOvslteVQHzEFxqWQ=";
|
|
isRouter = true;
|
|
ip = "10.100.0.250";
|
|
routes = [
|
|
"192.168.15.0/27"
|
|
"192.168.20.0/26"
|
|
"192.168.27.0/24"
|
|
];
|
|
};
|
|
};
|
|
|
|
getEndpoint =
|
|
name: host:
|
|
if host.isRouter or false then "${host.endpoint}" else "${host.address}:${toString 51820}";
|
|
|
|
mkPeer = name: host: {
|
|
publicKey = host.publicKey;
|
|
allowedIPs = [ "${host.ip}/32" ] ++ (host.routes or [ ]);
|
|
endpoint = getEndpoint name host;
|
|
persistentKeepalive = 25;
|
|
dynamicEndpointRefreshSeconds = 300;
|
|
};
|
|
|
|
mkPeersFor =
|
|
selfName: lib.mapAttrsToList mkPeer (lib.filterAttrs (name: _: name != selfName) meshHosts);
|
|
|
|
selfConfig = meshHosts.${config.networking.hostName} or null;
|
|
in
|
|
{
|
|
config = lib.mkIf (selfConfig != null) {
|
|
networking.wireguard.interfaces = {
|
|
wg0 = {
|
|
privateKeyFile = "/etc/wireguard/private.key";
|
|
ips = [ "${selfConfig.ip}/32" ];
|
|
listenPort = 51820;
|
|
peers = mkPeersFor config.networking.hostName;
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedUDPPorts = [ 51820 ];
|
|
trustedInterfaces = [ "wg0" ];
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d /etc/wireguard 0700 root root -"
|
|
];
|
|
};
|
|
}
|