diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2022-05-31 06:07:43 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2022-05-31 06:07:43 -0400 |
| commit | 088518a080a8c839cb3daae26cc6aee4ef37a797 (patch) | |
| tree | 7fff605ed29edca27d42cd679ee87efd5acc6407 /modules/vpn.nix | |
| parent | 69eae73fda6266ab8ede6c5442c0749f93690e70 (diff) | |
Update vpn config
Diffstat (limited to 'modules/vpn.nix')
| -rw-r--r-- | modules/vpn.nix | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/modules/vpn.nix b/modules/vpn.nix index fb6fd3a..d8ae327 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -2,12 +2,47 @@ let cfg = config.orbekk.vpn; + + vpn-prefix = "2001:470:8e2e:1000"; + + mkConfig = host: ip: { + ips = [ "${vpn-prefix}::d/64" ]; + publicKey = (builtins.readFile ../secrets/${host}-wireguard-key.pub); + endpoint = null; + server = false; + }; + + hosts = { + dragon = mkConfig "dragon" "d" // { + endpoint = "dragon.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + tiny1 = mkConfig "tiny1" "1001" // { + endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + firelink = mkConfig "firelink" "2001"; + pincer = mkConfig "pincer" "2002"; + }; + + mkPeer = hostConfig: { + inherit (hostConfig) publicKey endpoint; + allowedIPs = (lib.optionals (!hostConfig.server) [ "0.0.0.0/0" "::/0" ]); + }; + + getPeers = host: + builtins.map mkPeer (builtins.attrValues (builtins.removeAttrs hosts [host])); in { options = { orbekk.vpn = { enable = lib.mkEnableOption "Enable VPN"; + is_server = lib.mkOption { + type = lib.types.bool; + default = false; + }; + listenPort = lib.mkOption { type = lib.types.port; default = 40421; @@ -19,15 +54,18 @@ in config = lib.mkIf cfg.enable { orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ]; + age.secrets = { + "${config.networking.hostName}-wireguard-key".file = ./. + "/../secrets/${config.networking.hostName}-wireguard-key.age"; + }; + networking.wireguard = { enable = true; interfaces.vpn = { - privateKeyFile = "/opt/secret/wireguard/vpn.private"; - ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; + ips = hosts.${config.networking.hostName}.ips; + privateKeyFile = "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}"; allowedIPsAsRoutes = false; listenPort = cfg.listenPort; - peers = [ - ]; + peers = getPeers config.networking.hostName; }; }; }; |