2023-02-24 12:08:29 +01:00
|
|
|
{ config
|
|
|
|
, lib
|
|
|
|
, ...
|
|
|
|
}:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.my.services.wireguard;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.my.services.wireguard.enable = mkEnableOption "wireguard";
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
age.secrets = {
|
|
|
|
wireguard-private-key.file = ../../secrets/wireguard-private-key.age;
|
|
|
|
wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age;
|
|
|
|
};
|
|
|
|
networking.firewall = {
|
|
|
|
allowedUDPPorts = [ 51820 ];
|
|
|
|
};
|
|
|
|
networking.wg-quick.interfaces = {
|
|
|
|
wg0 = {
|
|
|
|
autostart = false;
|
|
|
|
address = [ "10.8.0.3/24" ];
|
|
|
|
listenPort = 51820;
|
|
|
|
privateKeyFile = "/run/agenix/wireguard-private-key";
|
2023-02-24 18:42:37 +01:00
|
|
|
dns = [ "192.168.0.4" "9.9.9.9" ];
|
2023-02-24 12:08:29 +01:00
|
|
|
peers = [
|
|
|
|
{
|
|
|
|
publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08=";
|
|
|
|
presharedKeyFile = "/run/agenix/wireguard-preshared-key";
|
|
|
|
# Forward all the traffic via VPN.
|
|
|
|
allowedIPs = [ "0.0.0.0/0" ];
|
|
|
|
endpoint = "wg.moritzboeh.me:51820";
|
|
|
|
persistentKeepalive = 25;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|