system-manager-wakasu
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 inherit (lib)
9 mkEnableOption
10 mkIf
11 mkOption
12 types
13 ;
14 cfg = config.services.wireguard.server;
15in
16{
17 options = {
18 services.wireguard.server = {
19 enable = mkEnableOption "Enable a wireguard server";
20 ips = mkOption {
21 type = with types; listOf str;
22 description = ''
23 The peer IPs
24 '';
25 };
26 peers = mkOption {
27 default = [ ];
28 description = "Peers linked to the interface.";
29 type = with types; listOf anything;
30 };
31 };
32 };
33 config = mkIf cfg.enable {
34 environment.systemPackages = [ pkgs.wireguard-tools ];
35 boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; # FIXME should probably be mkDefault
36 networking.firewall.extraCommands = ''
37 iptables -t nat -A POSTROUTING -s10.100.0.0/32 -j MASQUERADE
38 iptables -A FORWARD -i wg+ -j ACCEPT
39 '';
40 networking.firewall.allowedUDPPorts = [ 51820 ];
41 networking.firewall.trustedInterfaces = [ "wg0" ];
42 networking.wireguard.enable = true;
43 networking.wireguard.interfaces = {
44 "wg0" = {
45 inherit (cfg) ips peers;
46 listenPort = 51820;
47 privateKeyFile = "/etc/wireguard/private.key";
48 };
49 };
50 };
51}