{ pkgs, lib, config, hostName, private, ... }:
let
iface = "wg-intra";
- hosts = import wg-intra/hosts.nix;
+ peers = import wg-intra/peers.nix;
wg = config.networking.wireguard.interfaces.${iface};
in
{
+options.networking.wireguard.${iface}.peers =
+ lib.genAttrs (lib.attrNames peers) (peerName: {
+ enable = lib.mkEnableOption "this peer";
+ });
+config = {
networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
- (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
+ (removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
{
peers =
- lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
- { persistentKeepalive =
- peer.persistentKeepalive # Useful if this peer is behind a NAT
- or hosts.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
- or null; }
- peer.peer
- ) (removeAttrs hosts [hostName]);
+ lib.mapAttrsToList (peerName: peer:
+ lib.recursiveUpdate
+ {
+ persistentKeepalive =
+ peer.persistentKeepalive # Useful if this peer is behind a NAT
+ or peers.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
+ or null;
+ }
+ peer.peer)
+ (removeAttrs
+ (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
+ [hostName]);
privateKeyFile = lib.mkDefault "${private}/${hostName}/wireguard/${iface}/privateKey";
# Set the MTU to a minimum
};
networking.hosts = lib.mkMerge [
(lib.mapAttrs' (hostName: host:
- lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts)
- { "${hosts.losurdo.ipv4}" = [
+ lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) peers)
+ { "${peers.losurdo.ipv4}" = [
"nix-extracache.losurdo.wg"
"nix-localcache.losurdo.wg"
]; }
'';
services.fail2ban.ignoreIP = lib.concatMap
(host: host.peer.allowedIPs)
- (lib.attrValues hosts);
+ (lib.attrValues peers);
+};
}
sourcephile / git / julm / julm-nix.git / commitdiff