42 lines
1.1 KiB
Nix
42 lines
1.1 KiB
Nix
|
{ hostName, config, lib, ... }:
|
||
|
|
||
|
let
|
||
|
tunnels = lib.filterAttrs (_: wireguard:
|
||
|
wireguard != null
|
||
|
) config.site.hosts.${hostName}.wireguard;
|
||
|
firstTunnel =
|
||
|
if builtins.length (builtins.attrNames tunnels) > 0
|
||
|
then builtins.head (builtins.attrNames tunnels)
|
||
|
else null;
|
||
|
enabled = firstTunnel != null;
|
||
|
in
|
||
|
{
|
||
|
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
||
|
netdevConfig = {
|
||
|
Name = ifName;
|
||
|
Kind = "wireguard";
|
||
|
};
|
||
|
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
||
|
wireguardPeers = [ {
|
||
|
wireguardPeerConfig = {
|
||
|
PublicKey = wireguard.publicKey;
|
||
|
Endpoint = wireguard.endpoint;
|
||
|
};
|
||
|
} ];
|
||
|
}) tunnels;
|
||
|
# TODO: qdisc
|
||
|
|
||
|
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||
|
matchConfig.name = ifName;
|
||
|
addresses = map (addr: {
|
||
|
addressConfig.Address = addr;
|
||
|
}) wireguard.addresses;
|
||
|
}) tunnels;
|
||
|
|
||
|
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||
|
enable = true;
|
||
|
externalInterface = firstTunnel;
|
||
|
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
||
|
};
|
||
|
}
|