74 lines
1.7 KiB
Nix
74 lines
1.7 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.fudo.vpn;
|
|
|
|
peerOpts = { peer-name, ... }: {
|
|
options = with types; {
|
|
public-key = mkOption {
|
|
type = str;
|
|
description = "Peer public key.";
|
|
};
|
|
|
|
allowed-ips = mkOption {
|
|
type = listOf str;
|
|
description = "List of allowed IP ranges from which this peer can connect.";
|
|
example = [ "10.100.0.0/16" ];
|
|
default = [];
|
|
};
|
|
};
|
|
};
|
|
|
|
in {
|
|
options.fudo.vpn = with types; {
|
|
enable = mkEnableOption "Enable Fudo VPN";
|
|
|
|
ips = mkOption {
|
|
type = str;
|
|
description = "IP range to assign this interface.";
|
|
default = "10.100.0.0/16";
|
|
};
|
|
|
|
private-key-file = mkOption {
|
|
type = str;
|
|
description = "Path to the secret key (generated with wg [genkey/pubkey]).";
|
|
example = "/path/to/secret.key";
|
|
};
|
|
|
|
listen-port = mkOption {
|
|
type = port;
|
|
description = "Port on which to listen for incoming connections.";
|
|
default = 51820;
|
|
};
|
|
|
|
peers = mkOption {
|
|
type = loaOf (submodule peerOpts);
|
|
description = "A list of peers allowed to connect.";
|
|
default = {};
|
|
example = {
|
|
peer0 = {
|
|
public-key = "xyz";
|
|
allowed-ips = ["10.100.1.0/24"];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.wireguard = {
|
|
enable = true;
|
|
interfaces.wgtun0 = {
|
|
generatePrivateKeyFile = false;
|
|
ips = [ cfg.ips ];
|
|
listenPort = cfg.listen-port;
|
|
peers = mapAttrsToList (peer-name: peer-config: {
|
|
publicKey = peer-config.public-key;
|
|
allowedIPs = peer-config.allowed-ips;
|
|
}) cfg.peers;
|
|
privateKeyFile = cfg.private-key-file;
|
|
};
|
|
};
|
|
};
|
|
}
|