system-manager-wakasu
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 inherit (lib)
9 mkEnableOption
10 mkIf
11 mkOption
12 types
13 ;
14 cfg = config.services.wireguard;
15in
16{
17 options = {
18 services.wireguard = {
19 enable = mkEnableOption "Enable a wireguard client";
20 ips = mkOption {
21 type = with types; listOf str;
22 description = ''
23 The peer IPs
24 '';
25 };
26 allowedIPs = mkOption {
27 default = [ "10.100.0.0/24" ];
28 type = with types; listOf str;
29 description = ''
30 The peer (server) allowedIPs
31 '';
32 };
33 endpoint = mkOption {
34 type = with types; str;
35 description = ''
36 The endpoint IP to target
37 '';
38 };
39 endpointPort = mkOption {
40 default = 51820;
41 type = with types; int;
42 description = ''
43 The endpoint Port to target
44 '';
45 };
46 endpointPublicKey = mkOption {
47 type = with types; str;
48 description = ''
49 The peer (server) public key
50 '';
51 };
52 };
53 };
54 config = mkIf cfg.enable {
55 assertions = [
56 {
57 assertion = cfg.endpoint != "";
58 message = "services.wireguard.endpoint must be set.";
59 }
60 {
61 assertion = cfg.endpointPublicKey != "";
62 message = "services.wireguard.endpointPublicKey must be set.";
63 }
64 {
65 assertion = cfg.ips != [ ];
66 message = "services.wireguard.ips must be set.";
67 }
68 ];
69 environment.systemPackages = [ pkgs.wireguard-tools ];
70 networking.firewall.trustedInterfaces = [ "wg0" ];
71 networking.wireguard.enable = true;
72 networking.wireguard.interfaces = {
73 wg0 = {
74 inherit (cfg) ips;
75 privateKeyFile = "/etc/wireguard/private.key";
76 peers = [
77 {
78 publicKey = cfg.endpointPublicKey;
79 inherit (cfg) allowedIPs;
80 endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
81 persistentKeepalive = 25;
82 }
83 ];
84 };
85 };
86 };
87}