42 lines
1.1 KiB
Nix
42 lines
1.1 KiB
Nix
{ hostName, config, lib, ... }:
|
|
|
|
let
|
|
tunnels = lib.filterAttrs (_: wireguard:
|
|
wireguard != null
|
|
) config.site.hosts.${hostName}.wireguard;
|
|
firstTunnel =
|
|
if builtins.length (builtins.attrNames tunnels) > 0
|
|
then builtins.head (builtins.attrNames tunnels)
|
|
else null;
|
|
enabled = firstTunnel != null;
|
|
in
|
|
{
|
|
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
|
netdevConfig = {
|
|
Name = ifName;
|
|
Kind = "wireguard";
|
|
};
|
|
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
|
wireguardPeers = [ {
|
|
wireguardPeerConfig = {
|
|
PublicKey = wireguard.publicKey;
|
|
Endpoint = wireguard.endpoint;
|
|
};
|
|
} ];
|
|
}) tunnels;
|
|
# TODO: qdisc
|
|
|
|
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
|
matchConfig.name = ifName;
|
|
addresses = map (addr: {
|
|
addressConfig.Address = addr;
|
|
}) wireguard.addresses;
|
|
}) tunnels;
|
|
|
|
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
|
enable = true;
|
|
externalInterface = firstTunnel;
|
|
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
|
};
|
|
}
|