networking/wireguard/wg-intra.nix

   1 { pkgs, lib, config, hostName, ... }:
   2 let hosts = {
   3   mermet = rec {
   4     ipv4 = "192.168.42.1";
   5     ips = ["${ipv4}/24"];
   6     listenPort = 43642;
   7     peersAnnouncing.enable = true;
   8     peer = {
   9       publicKey = "XbTEP2X71LBTjmdmySdiOpQJ+uIomcXvg1aiQGUtWBI=";
  10       allowedIPs = [ "${ipv4}/32" ];
  11       endpoint = "80.67.180.129:${toString listenPort}";
  12       endpointReceiving.enable = true;
  13     };
  14   };
  15   losurdo = rec {
  16     ipv4 = "192.168.42.2";
  17     ips = ["${ipv4}/24"];
  18     listenPort = 43642;
  19     persistentKeepalive = 10;
  20     peer = {
  21       publicKey = "xsFFep3k8z0pXgUOz4aryOF8l/KPBSOd4WQA26BkXy0=";
  22       allowedIPs = [ "${ipv4}/32" ];
  23     };
  24   };
  25   oignon = rec {
  26     ipv4 = "192.168.42.3";
  27     ips = ["${ipv4}/24"];
  28     #persistentKeepalive = 10;
  29     peer = {
  30       publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
  31       allowedIPs = [ "${ipv4}/32" ];
  32       #persistentKeepalive = 25;
  33       #dynamicEndpointRefreshSeconds = 60;
  34     };
  35   };
  36 }; in
  37 {
  38 networking.wireguard.interfaces.wg-intra = lib.recursiveUpdate
  39   (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
  40   {
  41     peers =
  42       lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
  43         { persistentKeepalive = hosts.${hostName}.persistentKeepalive or null; }
  44         peer.peer
  45       ) (removeAttrs hosts [hostName]);
  46   };
  47 networking.hosts = lib.mapAttrs' (hostName: host:
  48   lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts;
  49 services.fail2ban.ignoreIP = lib.concatMap
  50   (host: host.peer.allowedIPs)
  51   (lib.attrValues hosts);
  52 }