1 { pkgs, lib, config, hostName, private, ... }:
3 inherit (config.services) wireguard;
4 domain = "sourcephile.fr";
7 publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
8 allowedIPs = [ "192.168.42.3/32" ];
10 keyToUnitName = lib.replaceChars
11 [ "/" "-" " " "+" "=" ]
12 [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
15 networking.firewall.extraCommands = ''
16 ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
18 networking.wireguard.interfaces.${iface} = {
19 ips = peer.allowedIPs;
20 privateKeyFile = "${private}/${hostName}/wireguard/${iface}/privateKey";
23 publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
24 endpoint = "losurdo.${domain}:43642";
25 allowedIPs = [ "192.168.42.2/32" ];
26 persistentKeepalive = 25;
30 networking.hosts = builtins.listToAttrs (lib.concatMap (peer:
31 let host = lib.removeSuffix ".${domain}:43642" peer.endpoint + ".wg"; in
32 map (ip: lib.nameValuePair (lib.removeSuffix "/32" ip) [host]) peer.allowedIPs
33 ) config.networking.wireguard.interfaces.${iface}.peers);
34 systemd.services = builtins.listToAttrs (map (peer:
35 lib.nameValuePair "wireguard-${iface}-peer-${keyToUnitName peer.publicKey}"
37 serviceConfig.Restart = "on-failure";
38 serviceConfig.RestartSec = 15;
40 ) config.networking.wireguard.interfaces.${iface}.peers) //
41 { openssh.serviceConfig = {
42 before = ["wireguard-${iface}.service"];
43 requires = ["wireguard-${iface}.service"];
46 services.openssh.listenAddresses = map (ip: {addr=lib.removeSuffix "/32" ip;}) peer.allowedIPs;
sourcephile / git / julm / julm-nix.git / blob