lab-infra/machines/router02/wireguard.nix
catvayor 40df8e738d
Some checks failed
Check meta / check_meta (push) Failing after 17s
build configuration / build_krz01 (push) Failing after 20s
lint / check (push) Failing after 20s
chore: nothing
2024-12-13 12:06:49 +01:00

57 lines
1.2 KiB
Nix

{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
AllowedIPs = [ "fdaa::${prefix}:${lib.toHexString peer.id}/32" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers =
builtins.map (mkPeer "1") [
"mdebray"
"catvayor"
]
++ builtins.map (mkPeer "0") [ "roam01" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}