56 lines
1.4 KiB
Nix
56 lines
1.4 KiB
Nix
{ ... }: let
|
|
port = 51280;
|
|
hostname = "stronghold";
|
|
subnet_prefix = "10.13.14";
|
|
public_key = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
|
|
|
|
peers = [
|
|
{ name = "lauren-phone"; id = 3; }
|
|
];
|
|
in {
|
|
sops.secrets = {
|
|
"dotspace/${hostname}/keys/wireguard/private.key" = {
|
|
mode = "0640";
|
|
group = "systemd-network";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
|
|
# TODO: Parameterize
|
|
"dotspace/${hostname}/keys/wireguard/lauren-phone.psk" = {
|
|
mode = "0640";
|
|
group = "systemd-network";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
};
|
|
|
|
systemd.network.networks."90-wg.${hostname}" = {
|
|
matchConfig.Name = "wg.${hostname}";
|
|
address = [ "${subnet_prefix}.1/24" ];
|
|
networkConfig = {
|
|
IPMasquerade = "ipv4";
|
|
IPv4Forwarding = true;
|
|
};
|
|
};
|
|
|
|
systemd.network.netdevs."50-wg.${hostname}" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg.${hostname}";
|
|
MTUBytes = "1300";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/private.key";
|
|
ListenPort = port;
|
|
RouteTable = "main";
|
|
};
|
|
|
|
# TODO: Parameterize
|
|
wireguardPeers = [
|
|
{
|
|
PresharedKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/lauren-phone.psk";
|
|
PublicKey = public_key;
|
|
AllowedIPs = [ "${subnet_prefix}.2/32" ];
|
|
}
|
|
];
|
|
};
|
|
}
|