-
Notifications
You must be signed in to change notification settings - Fork 0
/
vpn.nix
53 lines (47 loc) · 1.62 KB
/
vpn.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{ pkgs, hostname, lib, ... }:
with builtins;
let
assignments = import ./assignments.nix;
self = assignments.vpn.hosts.${hostname};
is_server = hasAttr "endpoint" self;
in
{
boot.kernel.sysctl."net.ipv4.ip_forward" =
lib.mkIf is_server 1;
networking.extraHosts = lib.concatStrings
(lib.mapAttrsToList
(name: { ip, ... }: "${ip} ${name}\n")
assignments.vpn.hosts);
networking.interfaces.wg0.mtu = 1300;
networking.wireguard.interfaces = {
wg0 = {
ips = [ "${self.ip}/24" ];
listenPort = lib.mkIf is_server 51820;
privateKeyFile = "/home/turbio/.wgpkey"; # TODO lol
postSetup = lib.mkIf is_server ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wg0 -j MASQUERADE
'';
postShutdown = lib.mkIf is_server ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wg0 -j MASQUERADE
'';
peers =
if is_server then
(map
({ ip, pubkey, endpoint ? null }: {
publicKey = pubkey;
allowedIPs = [ "${ip}/32" ];
endpoint = if endpoint == null then null else "${endpoint}:51820";
})
(attrValues (removeAttrs assignments.vpn.hosts [ hostname ])))
else
(map
({ ip, pubkey, endpoint }: {
publicKey = pubkey;
allowedIPs = [ assignments.vpn.subnet ];
endpoint = "${endpoint}:51820";
persistentKeepalive = 25;
})
(filter (hasAttr "endpoint") (attrValues (removeAttrs assignments.vpn.hosts [ hostname ]))));
};
};
}