dotfiles/modules/services/wireguard.nix

76 lines
2.2 KiB
Nix

{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.wireguard;
in {
options.modules.services.wireguard = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables wireguard. \"WireGuard\" and the \"WireGuard\" logo are registered trademarks of Jason A. Donenfeld.";
};
server = mkOption {
type = types.bool;
default = false;
description = "Configures this module to allow wireguard to act as a VPN provider on this host.";
};
externalInterface = mkOption {
type = types.str;
default = null;
description = "";
};
interfaces = mkOption {
type = options.networking.wireguard.interfaces.type;
default = {};
description = "Which interfaces wireguard should attach itself to.";
};
};
config = mkIf cfg.enable (mkMerge [
(mkIf cfg.server {
assertions = [
{ assertion = cfg.externalInterface != null;
description = "External interface must be set if wiregaurd is to be setup as a server.";
}
];
environment.systemPackages = [ pkgs.nftables ];
networking = mkMerge (
[{
nat.enable = true;
nat.externalInterface = cfg.externalInterface;
nat.internalInterfaces = filter (i: i != cfg.externalInterface) (attrNames cfg.interfaces);
}] ++
(mapAttrsToList (iname: iattrs: {
firewall.allowedTCPPorts = [ iattrs.listenPort ];
firewall.allowedUDPPorts = [ iattrs.listenPort ];
wireguard.interfaces.${iname} = mkMerge [ iattrs {
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
}];
}) cfg.interfaces)
# }) {})
);
})
/*
(mkIf (!cfg.server) (mkMerge [
{ networking.wireguard.interfaces = cfg.interfaces; }
(mapAttrs (_: iattrs: { networking.firewall.allowedUDPPorts = iattrs.listenPort; }) cfg.interfaces)
]))
*/
]);
}