dotfiles/nix/modules/services/wireguard.nix (view raw)
| 1 | { config, pkgs, ... }: |
| 2 | let |
| 3 | peers = [ |
| 4 | { name = "laptop"; key = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM="; ip = "10.100.0.2"; } |
| 5 | { name = "phone"; key = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc="; ip = "10.100.0.3"; } |
| 6 | ]; |
| 7 | in { |
| 8 | age.secrets.wg-key.file = ../../secrets/wg-key.age; |
| 9 | |
| 10 | boot.kernel.sysctl."net.ipv4.ip_forward" = 1; |
| 11 | networking = { |
| 12 | nat = { |
| 13 | enable = true; |
| 14 | externalInterface = "ens3"; |
| 15 | internalInterfaces = [ "wg0" ]; |
| 16 | }; |
| 17 | firewall.allowedUDPPorts = [ 51820 ]; |
| 18 | wireguard.interfaces."wg0" = { |
| 19 | ips = [ "10.100.0.1/24" ]; |
| 20 | listenPort = 51820; |
| 21 | privateKeyFile = config.age.secrets.wg-key.path; |
| 22 | postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE''; |
| 23 | postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE''; |
| 24 | peers = map(p: { |
| 25 | publicKey = p.key; |
| 26 | allowedIPs = [ "${p.ip}/32" ]; |
| 27 | }) peers; |
| 28 | }; |
| 29 | }; |
| 30 | } |