From 088518a080a8c839cb3daae26cc6aee4ef37a797 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Tue, 31 May 2022 06:07:43 -0400 Subject: Update vpn config --- modules/vpn.nix | 46 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/vpn.nix b/modules/vpn.nix index fb6fd3a..d8ae327 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -2,12 +2,47 @@ let cfg = config.orbekk.vpn; + + vpn-prefix = "2001:470:8e2e:1000"; + + mkConfig = host: ip: { + ips = [ "${vpn-prefix}::d/64" ]; + publicKey = (builtins.readFile ../secrets/${host}-wireguard-key.pub); + endpoint = null; + server = false; + }; + + hosts = { + dragon = mkConfig "dragon" "d" // { + endpoint = "dragon.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + tiny1 = mkConfig "tiny1" "1001" // { + endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + firelink = mkConfig "firelink" "2001"; + pincer = mkConfig "pincer" "2002"; + }; + + mkPeer = hostConfig: { + inherit (hostConfig) publicKey endpoint; + allowedIPs = (lib.optionals (!hostConfig.server) [ "0.0.0.0/0" "::/0" ]); + }; + + getPeers = host: + builtins.map mkPeer (builtins.attrValues (builtins.removeAttrs hosts [host])); in { options = { orbekk.vpn = { enable = lib.mkEnableOption "Enable VPN"; + is_server = lib.mkOption { + type = lib.types.bool; + default = false; + }; + listenPort = lib.mkOption { type = lib.types.port; default = 40421; @@ -19,15 +54,18 @@ in config = lib.mkIf cfg.enable { orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ]; + age.secrets = { + "${config.networking.hostName}-wireguard-key".file = ./. + "/../secrets/${config.networking.hostName}-wireguard-key.age"; + }; + networking.wireguard = { enable = true; interfaces.vpn = { - privateKeyFile = "/opt/secret/wireguard/vpn.private"; - ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; + ips = hosts.${config.networking.hostName}.ips; + privateKeyFile = "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}"; allowedIPsAsRoutes = false; listenPort = cfg.listenPort; - peers = [ - ]; + peers = getPeers config.networking.hostName; }; }; }; -- cgit v1.2.3