1 { pkgs, lib, config, hostName, credentials, ... }:
4 peers = import wg-intra/peers.nix;
5 wg = config.networking.wireguard.interfaces.${iface};
8 options.networking.wireguard.${iface}.peers =
9 lib.genAttrs (lib.attrNames peers) (peerName: {
10 enable = lib.mkEnableOption "this peer";
13 systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
14 networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
15 (removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
18 lib.mapAttrsToList (peerName: peer:
22 peer.persistentKeepalive # Useful if this peer is behind a NAT
23 or peers.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
28 (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
30 privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
32 # Set the MTU to a minimum
33 # (IPv4 requires at least 68 but it's 1280 for IPv6).
34 # This prevents connections to stall on huge packets,
35 # or delaying their initializing due to TCP PMTU probing.
37 ip link set dev ${iface} mtu 1280
40 networking.hosts = lib.mkMerge [
41 (lib.mapAttrs' (hostName: host:
42 lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) peers)
44 "${peers.losurdo.ipv4}" = [
45 "nix-extracache.losurdo.wg"
46 "nix-localcache.losurdo.wg"
51 networking.firewall.extraCommands = lib.optionalString (wg.listenPort != null) ''
52 ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
54 services.fail2ban.ignoreIP = lib.concatMap
55 (host: host.peer.allowedIPs)
56 (lib.attrValues peers);
sourcephile / git / julm / julm-nix.git / blob