]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/oignon/wireguard.nix
Revert "natpunch-go: add package"
[julm/julm-nix.git] / hosts / oignon / wireguard.nix
1 { pkgs, lib, config, hostName, private, ... }:
2 let
3 domain = "sourcephile.fr";
4 iface = "wg-intra";
5 wg = config.networking.wireguard.interfaces.${iface};
6 peer = {
7 publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
8 allowedIPs = [ "192.168.42.3/32" ];
9 };
10 peers = {
11 mermet = {
12 publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
13 endpoint = "mermet.${domain}:43642";
14 endpointsUpdater.enable = true;
15 allowedIPs = [ "192.168.42.1/32" ];
16 persistentKeepalive = 25;
17 dynamicEndpointRefreshSeconds = 30 * 60;
18 };
19 losurdo = {
20 publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
21 #endpoint = "losurdo.${domain}:43642";
22 allowedIPs = [ "192.168.42.2/32" ];
23 persistentKeepalive = 25;
24 };
25 };
26 keyToUnitName = lib.replaceChars
27 [ "/" "-" " " "+" "=" ]
28 [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
29 in
30 {
31 networking.firewall.extraCommands = ''
32 ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
33 ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
34 '';
35 networking.wireguard.interfaces.${iface} = {
36 ips = peer.allowedIPs;
37 # Different from losurdo's listenPort to have them work behind the same NAT.
38 listenPort = 43641;
39 privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
40 peers = lib.attrValues peers;
41 };
42 networking.hosts = builtins.listToAttrs (lib.concatLists (lib.attrValues (lib.mapAttrs (peerName: peer:
43 map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) ["${peerName}.wg"]) peer.allowedIPs
44 ) peers)));
45 /*
46 systemd.services =
47 {
48 openssh = {
49 after = ["wireguard-${iface}.service"];
50 serviceConfig.Restart = "on-failure";
51 };
52 };
53 services.openssh.listenAddresses = map (ip: {addr=lib.removeSuffix "/32" ip;}) peer.allowedIPs;
54 */
55 }