dendrify: comfy-station
This commit is contained in:
@@ -1,35 +1,36 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
cfg = config.hive.wg.client;
|
||||
peers = import ./peers.nix {inherit lib;};
|
||||
in {
|
||||
options.hive.wg.client = {
|
||||
enable = lib.mkEnableOption "Enable WireGuard client";
|
||||
autoConnect = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Automatically connect to the WireGuard server with systemd";
|
||||
flake.nixosModules.wireguard-client = {
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
cfg = config.hive.wg.client;
|
||||
peers = import ./_peers.nix {inherit lib;};
|
||||
in {
|
||||
options.hive.wg.client = {
|
||||
autoConnect = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Automatically connect to the WireGuard server with systemd";
|
||||
};
|
||||
peer = lib.mkOption {
|
||||
type = lib.types.singleLineStr;
|
||||
example = "comfy-station";
|
||||
description = "The name of the peer defined in peers.nix to incarnate";
|
||||
};
|
||||
privateKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Path to the private key file for the WireGuard client";
|
||||
};
|
||||
};
|
||||
peer = lib.mkOption {
|
||||
type = lib.types.singleLineStr;
|
||||
example = "comfy-station";
|
||||
description = "The name of the peer defined in peers.nix to incarnate";
|
||||
};
|
||||
privateKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Path to the private key file for the WireGuard client";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.wg-quick.interfaces.wg0 = {
|
||||
address = peers.clientAddress cfg.peer;
|
||||
inherit (cfg) privateKeyFile;
|
||||
autostart = cfg.autoConnect;
|
||||
peers = peers.forClient cfg.peer;
|
||||
config = {
|
||||
networking.wg-quick.interfaces.wg0 = {
|
||||
address = peers.clientAddress cfg.peer;
|
||||
inherit (cfg) privateKeyFile;
|
||||
autostart = cfg.autoConnect;
|
||||
peers = peers.forClient cfg.peer;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
{...}: {
|
||||
imports = [./client.nix ./server.nix];
|
||||
}
|
||||
@@ -1,46 +1,47 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
cfg = config.hive.wg.server;
|
||||
peers = import ./peers.nix {inherit lib;};
|
||||
in {
|
||||
options.hive.wg.server = {
|
||||
enable = lib.mkEnableOption "Enable WireGuard server";
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 51820;
|
||||
description = "Port for WireGuard server";
|
||||
flake.nixosModules.wireguard-server = {
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
cfg = config.hive.wg.server;
|
||||
peers = import ./peers.nix {inherit lib;};
|
||||
in {
|
||||
options.hive.wg.server = {
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 51820;
|
||||
description = "Port for WireGuard server";
|
||||
};
|
||||
privateKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Path to the private key file for the WireGuard server";
|
||||
};
|
||||
};
|
||||
privateKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Path to the private key file for the WireGuard server";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Firewall rule
|
||||
networking.firewall.allowedUDPPorts = [cfg.port];
|
||||
config = {
|
||||
# Firewall rule
|
||||
networking.firewall.allowedUDPPorts = [cfg.port];
|
||||
|
||||
# Interface without internet routing
|
||||
networking.wireguard.interfaces."wg0" = {
|
||||
ips = ["10.10.10.1/24"];
|
||||
listenPort = cfg.port;
|
||||
inherit (cfg) privateKeyFile;
|
||||
# Interface without internet routing
|
||||
networking.wireguard.interfaces."wg0" = {
|
||||
ips = ["10.10.10.1/24"];
|
||||
listenPort = cfg.port;
|
||||
inherit (cfg) privateKeyFile;
|
||||
|
||||
peers = peers.forServer;
|
||||
peers = peers.forServer;
|
||||
|
||||
# Allow p2p traffic
|
||||
postSetup = ''
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
|
||||
'';
|
||||
# Allow p2p traffic
|
||||
postSetup = ''
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
|
||||
'';
|
||||
|
||||
# Undo the above
|
||||
postShutdown = ''
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -j ACCEPT
|
||||
'';
|
||||
# Undo the above
|
||||
postShutdown = ''
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -j ACCEPT
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user