2024-01-10 04:11:11 +00:00
|
|
|
# Wireguard is a VPN protocol that can be setup to create a mesh network
|
|
|
|
|
# between machines on different LANs. This is currently not in use in my setup.
|
|
|
|
|
|
2024-04-20 13:42:06 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
{
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-12-21 21:18:03 +00:00
|
|
|
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2023-06-18 03:24:35 +00:00
|
|
|
config = lib.mkIf (pkgs.stdenv.isLinux) {
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-10-10 03:13:16 +00:00
|
|
|
networking.wireguard = {
|
2023-06-18 03:24:35 +00:00
|
|
|
enable = config.wireguard.enable;
|
2022-10-10 03:13:16 +00:00
|
|
|
interfaces = {
|
|
|
|
|
wg0 = {
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2023-06-18 03:24:35 +00:00
|
|
|
# Something to use as a default value
|
|
|
|
|
ips = lib.mkDefault [ "127.0.0.1/32" ];
|
|
|
|
|
|
2022-10-10 03:13:16 +00:00
|
|
|
# Establishes identity of this machine
|
|
|
|
|
generatePrivateKeyFile = false;
|
2022-10-16 03:18:58 +00:00
|
|
|
privateKeyFile = config.secrets.wireguard.dest;
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-10-10 03:13:16 +00:00
|
|
|
# Move to network namespace for isolating programs
|
|
|
|
|
interfaceNamespace = "wg";
|
|
|
|
|
};
|
2022-06-04 14:29:36 +00:00
|
|
|
};
|
2022-05-29 16:00:19 +00:00
|
|
|
};
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-10-10 03:13:16 +00:00
|
|
|
# Create namespace for Wireguard
|
|
|
|
|
# This allows us to isolate specific programs to Wireguard
|
|
|
|
|
systemd.services."netns@" = {
|
2023-06-18 03:24:35 +00:00
|
|
|
enable = config.wireguard.enable;
|
2022-10-10 03:13:16 +00:00
|
|
|
description = "%I network namespace";
|
|
|
|
|
before = [ "network.target" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
|
|
|
|
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
|
|
|
|
};
|
2022-10-09 14:12:31 +00:00
|
|
|
};
|
|
|
|
|
|
2022-10-10 03:13:16 +00:00
|
|
|
# Create private key file for wireguard
|
2023-08-06 00:06:03 +00:00
|
|
|
secrets.wireguard = lib.mkIf config.wireguard.enable {
|
2023-06-18 03:24:35 +00:00
|
|
|
source = ../../../private/wireguard.age;
|
2022-10-16 03:18:58 +00:00
|
|
|
dest = "${config.secretsDirectory}/wireguard";
|
2022-10-09 14:12:31 +00:00
|
|
|
};
|
|
|
|
|
};
|
2022-05-29 16:00:19 +00:00
|
|
|
}
|
