lab-infra/machines/roam01/wireguard.nix

{
  config,
  lib,
  dgn-keys,
  name,
  ...
}:
let
  mkPeer =
    prefix: peerName:
    let
      peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
    in
    {
      Endpoint = "129.199.146.230:1194";
      PersistentKeepalive = 25;
      AllowedIPs = [ "fdaa::${prefix}:0/64" ];
      PublicKey = peer.key;
    };
in

{
  age-secrets.autoMatch = [ "systemd-network" ];
  networking.firewall.trustedInterfaces = [ "wg0" ];
  systemd.network = {
    networks = {
      "50-wg-mgmt" = {
        name = "wg-mgmt";
        address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
        routes = [
          {
            Destination = "fdaa::/64";
            Scope = "link";
          }
        ];
      };
    };
    netdevs = {
      "50-wg-mgmt" = {
        netdevConfig = {
          Name = "wg-mgmt";
          Kind = "wireguard";
        };
        wireguardConfig = {
          ListenPort = 1194;
          PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
        };

        wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
      };
    };
  };
  networking.firewall.allowedUDPPorts = [ 1194 ];
}
feat: init roam01 2024-12-05 09:59:59 +01:00			`{`
			`config,`
			`lib,`
			`dgn-keys,`
			`name,`
			`...`
			`}:`
			`let`
			`mkPeer =`
			`prefix: peerName:`
			`let`
			`peer = dgn-keys.getVpnKey "wg-mgmt" peerName;`
			`in`
			`{`
			`Endpoint = "129.199.146.230:1194";`
			`PersistentKeepalive = 25;`
chore: nothing 2024-12-06 14:41:02 +01:00			`AllowedIPs = [ "fdaa::${prefix}:0/64" ];`
feat: init roam01 2024-12-05 09:59:59 +01:00			`PublicKey = peer.key;`
			`};`
			`in`

			`{`
			`age-secrets.autoMatch = [ "systemd-network" ];`
			`networking.firewall.trustedInterfaces = [ "wg0" ];`
			`systemd.network = {`
			`networks = {`
			`"50-wg-mgmt" = {`
			`name = "wg-mgmt";`
chore: nothing 2024-12-06 14:41:02 +01:00			`address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];`
feat: init roam01 2024-12-05 09:59:59 +01:00			`routes = [`
			`{`
			`Destination = "fdaa::/64";`
			`Scope = "link";`
			`}`
			`];`
			`};`
			`};`
			`netdevs = {`
			`"50-wg-mgmt" = {`
			`netdevConfig = {`
			`Name = "wg-mgmt";`
			`Kind = "wireguard";`
			`};`
			`wireguardConfig = {`
			`ListenPort = 1194;`
			`PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;`
			`};`

			`wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];`
			`};`
			`};`
			`};`
			`networking.firewall.allowedUDPPorts = [ 1194 ];`
			`}`