hosts/oignon/wireguard.nix

   1 { pkgs, lib, config, hostName, private, ... }:
   2 let
   3   inherit (config.services) wireguard;
   4   domain = "sourcephile.fr";
   5   iface = "wg-intra";
   6   peer = {
   7     publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
   8     allowedIPs = [ "192.168.42.3/32" ];
   9   };
  10 in
  11 {
  12 services.openssh.listenAddresses = map (ip: {addr=lib.removeSuffix "/32" ip;}) peer.allowedIPs;
  13 networking.firewall.extraCommands = ''
  14   ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
  15 '';
  16 networking.hosts = builtins.listToAttrs (lib.concatMap (peer:
  17   let host = lib.removeSuffix ".${domain}:43642" peer.endpoint + ".wg"; in
  18   map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) [host]) peer.allowedIPs
  19   ) config.networking.wireguard.interfaces.${iface}.peers);
  20 networking.wireguard.interfaces.${iface} = {
  21   ips = peer.allowedIPs;
  22   privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
  23   peers = [
  24     {
  25       publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
  26       endpoint = "losurdo.${domain}:43642";
  27       allowedIPs = [ "192.168.42.2/32" ];
  28       persistentKeepalive = 25;
  29     }
  30   ];
  31 };
  32 }