lab-infra/machines/roam01/wireguard.nix
catvayor ed02370dfe
Some checks failed
Check meta / check_meta (push) Failing after 20s
lint / check (push) Successful in 23s
chore: nothing
2024-12-06 14:41:02 +01:00

54 lines
1.1 KiB
Nix

{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
Endpoint = "129.199.146.230:1194";
PersistentKeepalive = 25;
AllowedIPs = [ "fdaa::${prefix}:0/64" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}