2022-10-09 14:12:31 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
let privateKeyFile = "/private/wireguard/wg0";
|
|
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
2022-06-04 14:29:36 +00:00
|
|
|
networking.wireguard = {
|
|
|
|
|
enable = true;
|
|
|
|
|
interfaces = {
|
|
|
|
|
wg0 = {
|
2022-10-09 14:12:31 +00:00
|
|
|
|
|
|
|
|
# The local IPs for this machine within the Wireguard network
|
|
|
|
|
# Any inbound traffic bound for these IPs should be kept on localhost
|
|
|
|
|
ips = [ "10.66.13.200/32" "fc00:bbbb:bbbb:bb01::3:dc7/128" ];
|
|
|
|
|
|
|
|
|
|
# Establishes identity of this machine
|
|
|
|
|
generatePrivateKeyFile = false;
|
|
|
|
|
privateKeyFile = privateKeyFile;
|
|
|
|
|
|
2022-06-04 14:29:36 +00:00
|
|
|
peers = [{
|
2022-10-09 14:12:31 +00:00
|
|
|
|
|
|
|
|
# Identity of Wireguard target peer (VPN)
|
|
|
|
|
publicKey = "bOOP5lIjqCdDx5t+mP/kEcSbHS4cZqE0rMlBI178lyY=";
|
|
|
|
|
|
|
|
|
|
# Which outgoing IP ranges should be sent through Wireguard
|
2022-06-04 14:29:36 +00:00
|
|
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
2022-10-09 14:12:31 +00:00
|
|
|
|
|
|
|
|
# The public internet address of the target peer
|
|
|
|
|
endpoint = "86.106.143.132:51820";
|
|
|
|
|
|
|
|
|
|
# Send heartbeat signal within the network
|
2022-06-04 14:29:36 +00:00
|
|
|
persistentKeepalive = 25;
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-06-04 14:29:36 +00:00
|
|
|
}];
|
2022-10-09 14:12:31 +00:00
|
|
|
|
2022-10-09 18:32:43 +00:00
|
|
|
# Move to network namespace for isolating programs
|
2022-10-09 14:12:31 +00:00
|
|
|
interfaceNamespace = "wg";
|
|
|
|
|
|
2022-06-04 14:29:36 +00:00
|
|
|
};
|
2022-05-29 16:00:19 +00:00
|
|
|
};
|
|
|
|
|
};
|
2022-10-09 14:12:31 +00:00
|
|
|
|
|
|
|
|
# Create namespace for Wireguard
|
2022-10-09 18:32:43 +00:00
|
|
|
# This allows us to isolate specific programs to Wireguard
|
2022-10-09 14:12:31 +00:00
|
|
|
systemd.services."netns@" = {
|
|
|
|
|
description = "%I network namespace";
|
|
|
|
|
before = [ "network.target" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
|
|
|
|
|
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2022-10-09 18:32:43 +00:00
|
|
|
# Create private key file for wireguard
|
2022-10-09 14:12:31 +00:00
|
|
|
systemd.services.wireguard-private-key = {
|
|
|
|
|
wantedBy = [ "wireguard-wg0.service" ];
|
|
|
|
|
requiredBy = [ "wireguard-wg0.service" ];
|
|
|
|
|
before = [ "wireguard-wg0.service" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
};
|
|
|
|
|
script = ''
|
|
|
|
|
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
|
|
|
|
if [ ! -f "${privateKeyFile}" ]; then
|
|
|
|
|
${pkgs.age}/bin/age --decrypt \
|
|
|
|
|
--identity ${config.identityFile} \
|
|
|
|
|
--output ${privateKeyFile} \
|
|
|
|
|
${builtins.toString ../../private/wireguard.age}
|
|
|
|
|
chmod 0700 ${privateKeyFile}
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2022-05-29 16:00:19 +00:00
|
|
|
}
|
