From 8a901c24b029719cc8d3ff355f95bceb1dc93b60 Mon Sep 17 00:00:00 2001 From: Mel Date: Wed, 27 Aug 2025 13:14:42 +0200 Subject: Move WireGuard server peer definitions to configuration option Signed-off-by: Mel --- machines/renard/default.nix | 18 ++++++ machines/taupe/default.nix | 17 +++++ machines/zibeline/default.nix | 17 +++++ modules/foundation/wireguard.nix | 135 +++++++++++++++++++++------------------ 4 files changed, 126 insertions(+), 61 deletions(-) diff --git a/machines/renard/default.nix b/machines/renard/default.nix index d9871c3..4b9386d 100644 --- a/machines/renard/default.nix +++ b/machines/renard/default.nix @@ -48,6 +48,24 @@ "goat" ]; }; + + wireguard.server = { + enable = true; + externalInterface = "ens18"; + + peers = { + mel = { + key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; + ip = 2; + }; + + # serpentine will use renard for ipv4-only communication (like github) + serpentine = { + key = "izeA+l8uGdHdfVw8B2yIMk4gXdapwyuCzSqLuEQzDFc="; + ip = 3; + }; + }; + }; }; services.nginx.virtualHosts = { diff --git a/machines/taupe/default.nix b/machines/taupe/default.nix index 643c939..ef3fc6a 100644 --- a/machines/taupe/default.nix +++ b/machines/taupe/default.nix @@ -26,6 +26,23 @@ wireguard.server = { enable = true; externalInterface = "enp1s0"; + + peers = { + mel = { + key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; + ip = 2; + }; + + andrei = { + key = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; + ip = 3; + }; + + sergo = { + key = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y="; + ip = 4; + }; + }; }; }; diff --git a/machines/zibeline/default.nix b/machines/zibeline/default.nix index 82e93bd..9670da2 100644 --- a/machines/zibeline/default.nix +++ b/machines/zibeline/default.nix @@ -27,6 +27,23 @@ wireguard.server = { enable = true; externalInterface = "eth0"; + + peers = { + mel = { + key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; + ip = 2; + }; + + andrei = { + key = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; + ip = 3; + }; + + sergo = { + key = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y="; + ip = 4; + }; + }; }; }; diff --git a/modules/foundation/wireguard.nix b/modules/foundation/wireguard.nix index 110a2a4..366a353 100644 --- a/modules/foundation/wireguard.nix +++ b/modules/foundation/wireguard.nix @@ -12,6 +12,8 @@ let mkIf mkEnableOption mkOption + assertMsg + types ; cfg = config.foundation.wireguard; @@ -23,43 +25,39 @@ let wireguardIPv6 = number: subnet: "fd0f:123::${number}/${subnet}"; wireguardInterface = "wg0"; - - peerIPs = peerNumber: [ - (wireguardIPv4 peerNumber "32") - (wireguardIPv6 peerNumber "128") - ]; - - peers = [ - # mel - { - publicKey = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; - allowedIPs = peerIPs "2"; - } - - # andrei - { - publicKey = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; - allowedIPs = peerIPs "3"; - } - - # sergo - { - publicKey = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y="; - allowedIPs = peerIPs "4"; - } - ]; in { - options.foundation.wireguard = { - server = { - enable = mkEnableOption "wireguard vpn server"; - - externalInterface = mkOption { - type = lib.types.string; - default = "eth0"; + options.foundation.wireguard = + let + peerSubmodule = + with types; + submodule { + options = { + ip = mkOption { + type = int; + }; + + key = mkOption { + type = str; + }; + }; + }; + in + { + server = { + enable = mkEnableOption "wireguard vpn server"; + + externalInterface = mkOption { + type = types.str; + default = "eth0"; + }; + + peers = mkOption { + type = types.attrsOf peerSubmodule; + default = { }; + }; }; }; - }; config = mkIf cfg.server.enable { age.secrets.wireguard-private-key = { @@ -85,33 +83,48 @@ in "net.ipv6.conf.default.forwarding" = 1; }; - networking.wireguard.interfaces.${wireguardInterface} = let - inherit (cfg.server) externalInterface; - in - { - inherit peers; - - # ip address of server + subnet of network - ips = [ - (wireguardIPv4 "1" "24") - (wireguardIPv6 "1" "112") - ]; - listenPort = wireguardPort; - - # route wireguard traffic to the internet - # also requires clients to have dns set. (i think) - # to avoid, maybe? use wg-quick + dnsmasq? - postSetup = '' - ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - postShutdown = '' - ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE - ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE - ''; - - privateKeyFile = config.age.secrets.wireguard-private-key.path; - }; + networking.wireguard.interfaces.${wireguardInterface} = + let + inherit (cfg.server) externalInterface; + + peerIPs = peerNumber: [ + (wireguardIPv4 peerNumber "32") + (wireguardIPv6 peerNumber "128") + ]; + + mkPeer = + p: + assert assertMsg (p.ip > 1) "ip has to be larger that 1"; + { + allowedIPs = peerIPs (toString p.ip); + publicKey = p.key; + }; + peers = map mkPeer (builtins.attrValues cfg.server.peers); + in + { + inherit peers; + + # ip address of server + subnet of network + ips = [ + (wireguardIPv4 "1" "24") + (wireguardIPv6 "1" "112") + ]; + listenPort = wireguardPort; + + # route wireguard traffic to the internet + # also requires clients to have dns set. (i think) + # to avoid, maybe? use wg-quick + dnsmasq? + postSetup = '' + ${iptables}/bin/iptables -t nat -A POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE + ${iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE + ''; + + postShutdown = '' + ${iptables}/bin/iptables -t nat -D POSTROUTING -s ${wireguardIPv4 "0" "24"} -o ${externalInterface} -j MASQUERADE + ${iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${wireguardIPv6 "0" "112"} -o ${externalInterface} -j MASQUERADE + ''; + + privateKeyFile = config.age.secrets.wireguard-private-key.path; + }; }; } -- cgit 1.4.1