dotfiles/modules/services/wireguard.nix
2022-12-21 14:18:03 -07:00

45 lines
1.1 KiB
Nix

{ config, pkgs, lib, ... }: {
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
config = lib.mkIf (pkgs.stdenv.isLinux && config.wireguard.enable) {
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
# Establishes identity of this machine
generatePrivateKeyFile = false;
privateKeyFile = config.secrets.wireguard.dest;
# Move to network namespace for isolating programs
interfaceNamespace = "wg";
};
};
};
# Create namespace for Wireguard
# This allows us to isolate specific programs to Wireguard
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
# Create private key file for wireguard
secrets.wireguard = {
source = ../../private/wireguard.age;
dest = "${config.secretsDirectory}/wireguard";
};
};
}