wireguard: init wireguard service

2023-02-24 12:08:29 +01:00 · 2023-02-24 12:08:29 +01:00 · ed5623256c
commit ed5623256c
parent 8920ce2ec5
6 changed files with 76 additions and 0 deletions
--- a/modules/profiles/desktop.nix
+++ b/modules/profiles/desktop.nix
@ -96,6 +96,7 @@ with lib; {
      openvpn.enable = true;
      printing.enable = true;
      redshift.enable = true;
+      wireguard.enable = true;
    };
  };

--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -12,5 +12,6 @@
    ./picom.nix
    ./printing.nix
    ./redshift.nix
+    ./wireguard.nix
  ];
 }
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -0,0 +1,41 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+
+with lib;
+let
+  cfg = config.my.services.wireguard;
+in
+{
+  options.my.services.wireguard.enable = mkEnableOption "wireguard";
+
+  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      wireguard-private-key.file = ../../secrets/wireguard-private-key.age;
+      wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age;
+    };
+    networking.firewall = {
+      allowedUDPPorts = [ 51820 ];
+    };
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        autostart = false;
+        address = [ "10.8.0.3/24" ];
+        listenPort = 51820;
+        privateKeyFile = "/run/agenix/wireguard-private-key";
+        peers = [
+          {
+            publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08=";
+            presharedKeyFile = "/run/agenix/wireguard-preshared-key";
+            # Forward all the traffic via VPN.
+            allowedIPs = [ "0.0.0.0/0" ];
+            endpoint = "wg.moritzboeh.me:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}