1# Wrapper module for WireGuard on system-manager
  2# This imports the base wireguard module and provides a simpler interface
  3# similar to wireguard-client.nix but compatible with system-manager
  4{
  5  config,
  6  inputs,
  7  lib,
  8  pkgs,
  9  ...
 10}:
 11let
 12  inherit (lib)
 13    mkEnableOption
 14    mkIf
 15    mkOption
 16    types
 17    ;
 18  cfg = config.services.wireguard;
 19in
 20{
 21  imports = [
 22    "${inputs.nixpkgs}/nixos/modules/services/networking/wireguard.nix"
 23  ];
 24
 25  options = {
 26    services.wireguard = {
 27      enable = mkEnableOption "Enable a wireguard client";
 28      ips = mkOption {
 29        type = with types; listOf str;
 30        description = ''
 31          The peer IPs
 32        '';
 33      };
 34      allowedIPs = mkOption {
 35        default = [ "10.100.0.0/24" ];
 36        type = with types; listOf str;
 37        description = ''
 38          The peer (server) allowedIPs
 39        '';
 40      };
 41      endpoint = mkOption {
 42        type = with types; str;
 43        description = ''
 44          The endpoint IP to target
 45        '';
 46      };
 47      endpointPort = mkOption {
 48        default = 51820;
 49        type = with types; int;
 50        description = ''
 51          The endpoint Port to target
 52        '';
 53      };
 54      endpointPublicKey = mkOption {
 55        type = with types; str;
 56        description = ''
 57          The peer (server) public key
 58        '';
 59      };
 60    };
 61  };
 62
 63  config = mkIf cfg.enable {
 64    assertions = [
 65      {
 66        assertion = cfg.endpoint != "";
 67        message = "services.wireguard.endpoint must be set.";
 68      }
 69      {
 70        assertion = cfg.endpointPublicKey != "";
 71        message = "services.wireguard.endpointPublicKey must be set.";
 72      }
 73      {
 74        assertion = cfg.ips != [ ];
 75        message = "services.wireguard.ips must be set.";
 76      }
 77    ];
 78
 79    environment.systemPackages = [ pkgs.wireguard-tools ];
 80
 81    # Note: networking.firewall doesn't exist in system-manager, so we skip that
 82    # networking.firewall.trustedInterfaces = [ "wg0" ];
 83
 84    networking.wireguard.enable = true;
 85    networking.wireguard.interfaces = {
 86      wg0 = {
 87        inherit (cfg) ips;
 88        privateKeyFile = "/etc/wireguard/private.key";
 89        peers = [
 90          {
 91            publicKey = cfg.endpointPublicKey;
 92            inherit (cfg) allowedIPs;
 93            endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
 94            persistentKeepalive = 25;
 95          }
 96        ];
 97      };
 98    };
 99  };
100}