Started with work on own wireguard server

2025-05-08 13:01:33 +02:00 · 2025-05-08 13:01:33 +02:00 · 3bf145fd45
commit 3bf145fd45
parent 2bb3e9d699
7 changed files with 79 additions and 25 deletions
--- a/system/network/default.nix
+++ b/system/network/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./avahi.nix
    ./tailscale.nix
+    ./wireguard.nix
  ];

  networking = {
--- a/system/network/wireguard.nix
+++ b/system/network/wireguard.nix
@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf optionals;
+  inherit (config.networking) hostName;
+  iptables = lib.getExe' pkgs.iptables "iptables";
+
+  port = 53;
+  server = "lapserv";
+
+  serverCfg = {
+    externalInterface = "eth0";
+    privateKeyFile = config.age.secrets.wg-lapserv-private.path;
+    publicKey = "aM+OrvByr63RxKsU9hu0A1lKJr8fPHifHDhBekkHR0c=";
+    publicIp = "80.242.224.170";
+    ip = "10.100.0.1";
+  };
+  deviceConfig = {
+    laptop = {
+      publicKey = config.age.secrets.wg-laptop-private.path;
+      privateKeyFile = "1su1FfHuEYIvJLaZPwpN86kmH19d/NH/zuh9DjIOyQI=";
+      ip = "10.100.0.2";
+    };
+  };
+
+  isServer = server == config.networking.hostName;
+  currentConfig =
+    if isServer
+    then serverCfg
+    else deviceConfig.${hostName};
+in {
+  networking.nat = mkIf isServer {
+    enable = true;
+    inherit (serverCfg) externalInterface;
+    internalInterfaces = ["wg0"];
+  };
+  networking.firewall.allowedUDPPorts = [port];
+
+  networking.wireguard.interfaces.wg0 = {
+    inherit (currentConfig) privateKeyFile;
+
+    listenPort = port;
+    ips = ["${currentConfig.ip}/24"];
+
+    peers =
+      []
+      ++ (optionals isServer (builtins.concatMap (x: {
+          inherit (x) publicKey;
+          allowedIPs = ["${x.ip}/32"];
+        })
+        (builtins.attrValues
+          deviceConfig)))
+      ++ (optionals (!isServer) [
+        {
+          inherit (serverCfg) publicKey;
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "${serverCfg.publicIp}:${builtins.toString port}";
+          persistentKeepalive = 25;
+        }
+      ]);
+
+    postSetup = mkIf isServer ''
+      ${iptables} -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+    postShutdown = mkIf isServer ''
+      ${iptables} -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${serverCfg.externalInterface} -j MASQUERADE
+    '';
+  };
+}