40 lines
1.2 KiB
Nix
40 lines
1.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
meta = import ../../../meta;
|
|
network = meta.network.virtual;
|
|
networkName = "mgmt";
|
|
networkConfig = network.${networkName};
|
|
hostName = config.networking.hostName;
|
|
in {
|
|
networking.wireguard.enable = true;
|
|
networking.wireguard.interfaces = {
|
|
"wg-${networkName}" = {
|
|
ips = [
|
|
"${networkConfig.hosts.${hostName}.v4.ip}/${
|
|
toString networkConfig.v4.bitmask
|
|
}"
|
|
];
|
|
privateKeyFile = "/secrets/wireguard/private/${networkName}";
|
|
generatePrivateKeyFile = true;
|
|
|
|
peers = let
|
|
mapHostToPeerConfig = (host: netconf: {
|
|
|
|
# Generate the preshared key with wg genpsk
|
|
presharedKeyFile =
|
|
"/secrets/wireguard/preshared/${networkName}-${host}";
|
|
publicKey = netconf.publicKey;
|
|
|
|
endpoint = netconf.endpoint;
|
|
|
|
allowedIPs = [ netconf.v4.ip ];
|
|
persistantKeepalive = netconf.persistentKeepalive;
|
|
});
|
|
reachablePeerHosts = lib.filterAttrs (host: netconf:
|
|
host != hostName
|
|
&& (netconf.endpoint != null || networkConfig.server == hostName))
|
|
networkConfig.hosts;
|
|
in lib.mapAttrsToList mapHostToPeerConfig reachablePeerHosts;
|
|
};
|
|
};
|
|
}
|