nixos-config/config/service/wireguard-gateway.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  host = config.fudo.hosts.${hostname};
  host-secrets = config.fudo.secrets.host-secrets.${hostname};

  cfg = config.fudo.services.wireguard-gateway;

  peerOpts = { name, ... }: {
    options = with types; {
      public-key = mkOption {
        type = str;
        description = "Peer public key.";
      };

      assigned-ip = mkOption {
        type = str;
        description = "IP address assigned to this peer.";
      };
    };
  };

in {
  options.fudo.services.wireguard-gateway = with types; {
    enable = mkEnableOption "Enable WireGuard gateway: let external clients join the local network.";

    network = mkOption {
      type = str;
      description = "IP address range to use for clients.";
      default = "172.16.0.0/24";
    };

    listen-port = mkOption {
      type = port;
      description = "Port on which to listen for incoming connections.";
      default = 51820;
    };

    peers = mkOption {
      type = attrsOf (submodule peerOpts);
      description = "Map of peer to peer options.";
      default = {};
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = all (peerOpts:
          pkgs.lib.ip.ipv4OnNetwork peerOpts.assigned-ip cfg.network)
          (attrValues cfg.peers);
        message = "Peer IPs must be on the assigned network.";
      }
      {
        assertion = host.wireguard.private-key-file != null;
        message = "WireGuard gateway server private key file must be set.";
      }
    ];

    fudo.secrets.host-secrets.${hostname} = {
      wireguard-gateway-privkey-file = {
        source-file = host.wireguard.private-key-file;
        target-file = "/run/wireguard-gateway/key";
      };
    };

    networking = {
      firewall.allowedUDPPorts = [ cfg.listen-port ];
      wireguard.interfaces.wg-gw0 = {
        ips = [ cfg.network ];
        listenPort = cfg.listen-port;
        postSetup =
          "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${cfg.network} -o ${cfg.external-interface} -j MASQUERADE";
        postShutdown =
          "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${cfg.network} -o ${cfg.external-interface} -j MASQUERADE";

        privateKeyFile = host-secrets.wireguard-gateway-privkey-file.target-file;

        peers = let
          peerList = attrValues cfg.peers;
        in map (peerOpts: {
          publicKey = peerOpts.public-key;
          allowedIPs = [ "${peerOpts.ip}/32" ];
        }) cfg.peers;
      };
    };
  };
}
Added live disk flake file 2022-03-16 09:49:54 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`host = config.fudo.hosts.${hostname};`
			`host-secrets = config.fudo.secrets.host-secrets.${hostname};`

			`cfg = config.fudo.services.wireguard-gateway;`

			`peerOpts = { name, ... }: {`
			`options = with types; {`
			`public-key = mkOption {`
			`type = str;`
			`description = "Peer public key.";`
			`};`

			`assigned-ip = mkOption {`
			`type = str;`
			`description = "IP address assigned to this peer.";`
			`};`
			`};`
			`};`

			`in {`
			`options.fudo.services.wireguard-gateway = with types; {`
			`enable = mkEnableOption "Enable WireGuard gateway: let external clients join the local network.";`

			`network = mkOption {`
			`type = str;`
			`description = "IP address range to use for clients.";`
			`default = "172.16.0.0/24";`
			`};`

			`listen-port = mkOption {`
			`type = port;`
			`description = "Port on which to listen for incoming connections.";`
			`default = 51820;`
			`};`

			`peers = mkOption {`
			`type = attrsOf (submodule peerOpts);`
			`description = "Map of peer to peer options.";`
			`default = {};`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`assertions = [`
			`{`
			`assertion = all (peerOpts:`
			`pkgs.lib.ip.ipv4OnNetwork peerOpts.assigned-ip cfg.network)`
			`(attrValues cfg.peers);`
			`message = "Peer IPs must be on the assigned network.";`
			`}`
			`{`
			`assertion = host.wireguard.private-key-file != null;`
			`message = "WireGuard gateway server private key file must be set.";`
			`}`
			`];`

			`fudo.secrets.host-secrets.${hostname} = {`
			`wireguard-gateway-privkey-file = {`
			`source-file = host.wireguard.private-key-file;`
			`target-file = "/run/wireguard-gateway/key";`
			`};`
			`};`

			`networking = {`
			`firewall.allowedUDPPorts = [ cfg.listen-port ];`
			`wireguard.interfaces.wg-gw0 = {`
			`ips = [ cfg.network ];`
			`listenPort = cfg.listen-port;`
			`postSetup =`
			`"${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${cfg.network} -o ${cfg.external-interface} -j MASQUERADE";`
			`postShutdown =`
			`"${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${cfg.network} -o ${cfg.external-interface} -j MASQUERADE";`

			`privateKeyFile = host-secrets.wireguard-gateway-privkey-file.target-file;`

			`peers = let`
			`peerList = attrValues cfg.peers;`
			`in map (peerOpts: {`
			`publicKey = peerOpts.public-key;`
			`allowedIPs = [ "${peerOpts.ip}/32" ];`
			`}) cfg.peers;`
			`};`
			`};`
			`};`
			`}`