dotfiles/nix/modules/networking/wireguard-mesh.nix

{
  pkgs,
  lib,
  config,
  ...
}:
let
  meshHosts = {
    kumatani = {
      address = "kumatani";
      publicKey = "pKkl30tba29FG86wuaC0KrpSHMr1tSOujikHFbx75BM=";
      isRouter = false;
      ip = "10.100.0.1";
    };
    usahara = {
      address = "usahara";
      publicKey = "4v7GyAIsKfwWjLMVB4eoosJDvLkIDHW0KsEYoQqSnh4=";
      isRouter = false;
      ip = "10.100.0.2";
    };
    tux = {
      address = "tux";
      publicKey = "Z17ci3Flk1eDAhJ8QZSUgtmlw6BVu4XqvpqLKLWTYWw=";
      isRouter = false;
      ip = "10.100.0.3";
    };
    oakbay-pfsense = {
      endpoint = "oakbay.lucalise.ca:51822";
      publicKey = "xOTPZBIC9m1BkkiLCOUTty3b7/NOvslteVQHzEFxqWQ=";
      isRouter = true;
      ip = "10.100.0.250";
      routes = [
        "10.100.0.0/24"
        "192.168.15.0/27"
        "192.168.20.0/26"
        "192.168.27.0/24"
      ];
    };
    pearce-udm = {
      endpoint = "pearce.lucalise.ca:51823";
      publicKey = "hDb2DzI+isaqXLdxwAF1hc5Nid8TK/M1SQ+zDpf9QxY=";
      isRouter = true;
      ip = "10.100.0.251";
      routes = [
        "192.168.18.0/27"
      ];
    };
  };

  getEndpoint =
    name: host:
    if host.isRouter or false then "${host.endpoint}" else "${host.address}:${toString 51820}";

  mkPeer = name: host: {
    publicKey = host.publicKey;
    allowedIPs = [ "${host.ip}/32" ] ++ (host.routes or [ ]);
    endpoint = getEndpoint name host;
    persistentKeepalive = 25;
    dynamicEndpointRefreshSeconds = 300;
  };

  mkPeersFor =
    selfName:
    lib.mapAttrsToList mkPeer (
      lib.filterAttrs (name: host: name != selfName && (host.isRouter or false)) meshHosts
    );

  selfConfig = meshHosts.${config.networking.hostName} or null;
in
{
  config = lib.mkIf (selfConfig != null) {
    networking.wireguard.interfaces = {
      wg0 = {
        privateKeyFile = "/etc/wireguard/private.key";
        ips = [ "${selfConfig.ip}/32" ];
        listenPort = 51820;
        peers = mkPeersFor config.networking.hostName;
      };
    };

    networking.firewall = {
      allowedUDPPorts = [ 51820 ];
      trustedInterfaces = [ "wg0" ];
    };

    systemd.tmpfiles.rules = [
      "d /etc/wireguard 0700 root root -"
    ];
  };
}