dotfiles/modules/services/wireguard.nix

42 lines
1 KiB
Nix
Raw Normal View History

2023-02-24 12:08:29 +01:00
{ config
, lib
, pkgs
, ...
}:
with lib;
let
cfg = config.my.services.wireguard;
in
{
options.my.services.wireguard.enable = mkEnableOption "wireguard";
config = lib.mkIf cfg.enable {
age.secrets = {
wireguard-private-key.file = ../../secrets/wireguard-private-key.age;
wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age;
};
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wg-quick.interfaces = {
wg0 = {
autostart = false;
address = [ "10.8.0.3/24" ];
listenPort = 51820;
privateKeyFile = "/run/agenix/wireguard-private-key";
peers = [
{
publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08=";
presharedKeyFile = "/run/agenix/wireguard-preshared-key";
# Forward all the traffic via VPN.
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "wg.moritzboeh.me:51820";
persistentKeepalive = 25;
}
];
};
};
};
}