Commit e8021a5ec7b2
Changed files (5)
lib
modules
secrets
systems
kyushu
lib/default.nix
@@ -59,6 +59,7 @@
inherit specialArgs;
system = system;
modules = [
+ self.nixosModules.wireguard-client
inputs.agenix.nixosModules.default
inputs.lanzaboote.nixosModules.lanzaboote
homeInput.nixosModules.home-manager
modules/wireguard-client.nix
@@ -0,0 +1,77 @@
+{ config, options, lib, pkgs, ... }:
+let
+ inherit (lib) mkEnableOption mkIf mkOption types;
+ cfg = config.services.wireguard;
+in
+{
+ options = {
+ services.wireguard = {
+ enable = mkEnableOption "Enable ";
+ ips = mkOption {
+ type = with types; listOf str;
+ description = ''
+ The client IPs
+ '';
+ };
+ allowedIPs = mkOption {
+ default = [ "10.100.0.0/24" ];
+ type = with types; listOf str;
+ description = ''
+ The peer (server) allowedIPs
+ '';
+ };
+ endpoint = mkOption {
+ type = with types; str;
+ description = ''
+ The endpoint IP to target
+ '';
+ };
+ endpointPort = mkOption {
+ default = 51820;
+ type = with types; int;
+ description = ''
+ The endpoint Port to target
+ '';
+ };
+ endpointPublicKey = mkOption {
+ type = with types; str;
+ description = ''
+ The peer (server) public key
+ '';
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ assertions = [
+ {
+ assertion = cfg.endpoint != "";
+ message = "services.wireguard.endpoint must be set.";
+ }
+ {
+ assertion = cfg.endpointPublicKey != "";
+ message = "services.wireguard.endpointPublicKey must be set.";
+ }
+ {
+ assertion = cfg.ips != [ ];
+ message = "services.wireguard.ips must be set.";
+ }
+ ];
+ environment.systemPackages = [ pkgs.wireguard-tools ];
+ networking.firewall.trustedInterfaces = [ "wg0" ];
+ networking.wireguard.enable = true;
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = cfg.ips;
+ privateKeyFile = "/etc/wireguard/private.key";
+ peers = [
+ {
+ publicKey = cfg.endpointPublicKey;
+ allowedIPs = cfg.allowedIPs;
+ endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+ };
+}
secrets/machines.nix
@@ -36,6 +36,7 @@ let
kerkouane = "10.100.0.1";
shikoku = "10.100.0.2";
aomi = "10.100.0.17";
+ kyushu = "10.100.0.19";
hokkaido = "10.100.0.5";
wakasu = "10.100.0.8";
ipad = "10.100.0.3";
@@ -108,6 +109,10 @@ let
allowedIPs = [ "${wireguard.ips.aomi}/32" ];
publicKey = "XT4D9YLeVHwMb9R4mhBLSWHYF8iBO/UOT86MQL1jnA4=";
};
+ kyushu = {
+ allowedIPs = [ "${wireguard.ips.kyushu}/32" ];
+ publicKey = "KVRzoPUw8UTQblYtbs/NLYLIVmtQehrc4Hacbpf5Ugs=";
+ };
hass = {
allowedIPs = [ "${wireguard.ips.hass}/32" ];
publicKey = "sLi6Qpm6yyI0kuJ5LzCKXzFhhTW3Q50krxSin+b/sWs=";
@@ -186,7 +191,7 @@ in
listenPort = 51820;
endpointIP = "167.99.17.238";
persistentKeepalive = 25;
- peers = [ wireguard.shikoku wireguard.wakasu wireguard.vincent wireguard.sakhalin wireguard.aomi wireguard.ipad wireguard.hass wireguard.demeter wireguard.athena wireguard.aion wireguard.honshu wireguard.houbeb wireguard.houbeb-ipad wireguard.houbeb-iphone ]; # wireguard.hokkaido
+ peers = [ wireguard.shikoku wireguard.wakasu wireguard.vincent wireguard.sakhalin wireguard.aomi wireguard.kyushu wireguard.ipad wireguard.hass wireguard.demeter wireguard.athena wireguard.aion wireguard.honshu wireguard.houbeb wireguard.houbeb-ipad wireguard.houbeb-iphone ]; # wireguard.hokkaido
};
ssh = ssh;
sshConfig = {
systems/kyushu/extra.nix
@@ -15,6 +15,14 @@
../redhat
];
+ services.wireguard = {
+ enable = true;
+ # FIXME get this from some globals
+ ips = [ "10.100.0.18/24" ];
+ endpoint = "167.99.17.238";
+ endpointPublicKey = "+H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI=";
+ };
+
environment.systemPackages = with pkgs; [
go-org-readwise
];
flake.nix
@@ -148,6 +148,10 @@
# syncthingFolders = [ "org" "documents" "sync" "screenshots" "wallpapers" ];
};
};
+ nixosModules = {
+ # provided modules (to be upstreamed)
+ wireguard-client = ./modules/wireguard-client.nix;
+ };
# system-manager configurations
# FIXME set this up