dotfiles/modules/nixos/services/wireguard.nix

52 lines
1.4 KiB
Nix
Raw Permalink Normal View History

2024-01-10 04:11:11 +00:00
# Wireguard is a VPN protocol that can be setup to create a mesh network
# between machines on different LANs. This is currently not in use in my setup.
{ config, pkgs, lib, ... }: {
2022-10-09 14:12:31 +00:00
2022-12-21 21:18:03 +00:00
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
2022-10-09 14:12:31 +00:00
config = lib.mkIf (pkgs.stdenv.isLinux) {
2022-10-09 14:12:31 +00:00
networking.wireguard = {
enable = config.wireguard.enable;
interfaces = {
wg0 = {
2022-10-09 14:12:31 +00:00
# Something to use as a default value
ips = lib.mkDefault [ "127.0.0.1/32" ];
# Establishes identity of this machine
generatePrivateKeyFile = false;
privateKeyFile = config.secrets.wireguard.dest;
2022-10-09 14:12:31 +00:00
# Move to network namespace for isolating programs
interfaceNamespace = "wg";
2022-10-09 14:12:31 +00:00
};
2022-06-04 14:29:36 +00:00
};
2022-05-29 16:00:19 +00:00
};
2022-10-09 14:12:31 +00:00
# Create namespace for Wireguard
# This allows us to isolate specific programs to Wireguard
systemd.services."netns@" = {
enable = config.wireguard.enable;
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
2022-10-09 14:12:31 +00:00
};
# Create private key file for wireguard
secrets.wireguard = lib.mkIf config.wireguard.enable {
source = ../../../private/wireguard.age;
dest = "${config.secretsDirectory}/wireguard";
2022-10-09 14:12:31 +00:00
};
2022-10-09 14:12:31 +00:00
};
2022-05-29 16:00:19 +00:00
}