lab-infra/machines/router02/wireguard.nix
2024-12-06 14:36:45 +01:00

61 lines
1.2 KiB
Nix

{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
AllowedIPs = [
"fdaa::${prefix}:${lib.toHexString peer.id}/32"
];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [
"fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers =
builtins.map (mkPeer "1") [
"mdebray"
"catvayor"
]
++ builtins.map (mkPeer "0") [ "roam01" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}