62 lines
1.6 KiB
Nix
62 lines
1.6 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.dadada.vpnServer;
|
|
wgPeer = { name, ... }: {
|
|
options = {
|
|
name = mkOption {
|
|
internal = true;
|
|
default = name;
|
|
};
|
|
id = mkOption {
|
|
description = "VPN client id";
|
|
default = 0;
|
|
type = types.str;
|
|
};
|
|
key = mkOption {
|
|
description = "VPN client public key";
|
|
default = "";
|
|
type = types.str;
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
options.dadada.vpnServer = {
|
|
enable = mkEnableOption "Enable wireguard gateway";
|
|
peers = mkOption {
|
|
description = "Set of extensions and public keys of peers";
|
|
type = with types; attrsOf (submodule wgPeer);
|
|
default = { };
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
networking.wireguard = {
|
|
enable = true;
|
|
interfaces."wg0" = {
|
|
allowedIPsAsRoutes = true;
|
|
privateKeyFile = "/var/lib/wireguard/wg0-key";
|
|
ips = [ "fd42:9c3b:f96d:0201::0/64" ];
|
|
listenPort = 51234;
|
|
peers = map
|
|
(peer: (
|
|
{
|
|
allowedIPs = [ "fd42:9c3b:f96d:0201::${peer.id}/128" ];
|
|
publicKey = peer.key;
|
|
}))
|
|
(attrValues cfg.peers);
|
|
postSetup = ''
|
|
wg set wg0 fwmark 51234
|
|
ip -6 route add table 2468 fd42:9c3b:f96d::/48 dev ens3
|
|
ip -6 route add table 2468 fd42:9c3b:f96d:201::/64 dev wg0
|
|
ip -6 rule add fwmark 51234 table 2468
|
|
'';
|
|
};
|
|
};
|
|
boot.kernel.sysctl = {
|
|
# Enable forwarding for VPN
|
|
"net.ipv6.conf.all.forwarding" = true;
|
|
};
|
|
};
|
|
}
|