lab-infra/machines/roam01/wireguard.nix
2024-12-13 12:03:42 +01:00

58 lines
1.2 KiB
Nix

{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
Endpoint = "129.199.146.230:1194";
PersistentKeepalive = 25;
AllowedIPs = [
"fdaa::${prefix}:0/64"
];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [
"fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}