Move WireGuard server peer definitions to configuration option

Signed-off-by: Mel <mel@rnrd.eu>

1 files changed, 74 insertions, 61 deletions

diff --git a/modules/foundation/wireguard.nix b/modules/foundation/wireguard.nix
index 110a2a4..366a353 100644
--- a/modules/foundation/wireguard.nix
+++ b/modules/foundation/wireguard.nix
@@ -12,6 +12,8 @@ let
     mkIf
     mkEnableOption
     mkOption
+    assertMsg
+    types
     ;
 
   cfg = config.foundation.wireguard;
@@ -23,43 +25,39 @@ let
   wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}";
 
   wireguardInterface = "wg0";
-
-  peerIPs = peerNumber: [
-    (wireguardIPv4 peerNumber "32")
-    (wireguardIPv6 peerNumber "128")
-  ];
-
-  peers = [
-    # mel
-    {
-      publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU=";
-      allowedIPs = peerIPs "2";
-    }
-
-    # andrei
-    {
-      publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg=";
-      allowedIPs = peerIPs "3";
-    }
-
-    # sergo
-    {
-      publicKey = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y=";
-      allowedIPs = peerIPs "4";
-    }
-  ];
 in
 {
-  options.foundation.wireguard = {
-    server = {
-      enable = mkEnableOption "wireguard vpn server";
-
-      externalInterface = mkOption {
-        type = lib.types.string;
-        default = "eth0";
+  options.foundation.wireguard =
+    let
+      peerSubmodule =
+        with types;
+        submodule {
+          options = {
+            ip = mkOption {
+              type = int;
+            };
+
+            key = mkOption {
+              type = str;
+            };
+          };
+        };
+    in
+    {
+      server = {
+        enable = mkEnableOption "wireguard vpn server";
+
+        externalInterface = mkOption {
+          type = types.str;
+          default = "eth0";
+        };
+
+        peers = mkOption {
+          type = types.attrsOf peerSubmodule;
+          default = { };
+        };
       };
     };
-  };
 
   config = mkIf cfg.server.enable {
     age.secrets.wireguard-private-key = {
@@ -85,33 +83,48 @@ in
       "net.ipv6.conf.default.forwarding" = 1;
     };
 
-    networking.wireguard.interfaces.${wireguardInterface} = let
-      inherit (cfg.server) externalInterface;
-    in
-    {
-      inherit peers;
-
-      # ip address of server + subnet of network
-      ips = [
-        (wireguardIPv4 "1" "24")
-        (wireguardIPv6 "1" "112")
-      ];
-      listenPort = wireguardPort;
-
-      # route wireguard traffic to the internet
-      # also requires clients to have dns set. (i think)
-      # to avoid, maybe? use wg-quick + dnsmasq?
-      postSetup = ''
-        ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
-        ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
-      '';
-
-      postShutdown = ''
-        ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
-        ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
-      '';
-
-      privateKeyFile = config.age.secrets.wireguard-private-key.path;
-    };
+    networking.wireguard.interfaces.${wireguardInterface} =
+      let
+        inherit (cfg.server) externalInterface;
+
+        peerIPs = peerNumber: [
+          (wireguardIPv4 peerNumber "32")
+          (wireguardIPv6 peerNumber "128")
+        ];
+
+        mkPeer =
+          p:
+          assert assertMsg (p.ip > 1) "ip has to be larger that 1";
+          {
+            allowedIPs = peerIPs (toString p.ip);
+            publicKey = p.key;
+          };
+        peers = map mkPeer (builtins.attrValues cfg.server.peers);
+      in
+      {
+        inherit peers;
+
+        # ip address of server + subnet of network
+        ips = [
+          (wireguardIPv4 "1" "24")
+          (wireguardIPv6 "1" "112")
+        ];
+        listenPort = wireguardPort;
+
+        # route wireguard traffic to the internet
+        # also requires clients to have dns set. (i think)
+        # to avoid, maybe? use wg-quick + dnsmasq?
+        postSetup = ''
+          ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
+          ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
+        '';
+
+        postShutdown = ''
+          ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE
+          ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE
+        '';
+
+        privateKeyFile = config.age.secrets.wireguard-private-key.path;
+      };
   };
 }