From bd0e5a3f5cb05e4d94de13a038d81a97fe9c1272 Mon Sep 17 00:00:00 2001
From: Alexander Bantyev <balsoft@balsoft.ru>
Date: Sat, 27 Mar 2021 12:32:40 +0300
Subject: [PATCH] Fix wireguard

---
 machines/AMD-Workstation/default.nix | 47 ++++++++++-------
 modules/default.nix                  |  5 +-
 modules/ezwg.nix                     | 78 ++++++++++++++++++++++++++++
 profiles/desktop.nix                 |  1 +
 4 files changed, 111 insertions(+), 20 deletions(-)
 create mode 100644 modules/ezwg.nix

diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix
index 90f6773..428c389 100644
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@@ -22,25 +22,36 @@
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
 
-  secrets.wireguard-serokell = { };
+  secrets.wireguard-wg0 = { };
 
-  networking.wireguard.interfaces.serokell = {
-    listenPort = 51820;
-    ips = [
-      "172.20.0.52/32"
-      # "fd73:7272:ed50::52/128"
-    ];
-    privateKeyFile = config.secrets.wireguard-serokell.decrypted;
-    peers = [{
-      allowedIPs = [
-        "0.0.0.0/0"
-        # "::/0"
-      ];
-      # endpoint = "serokell.net:35944";
-      endpoint = "147.75.100.17:35944";
-      publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
-      persistentKeepalive = 24;
-    }];
+  # networking.wireguard.interfaces.serokell = {
+  #   listenPort = 51820;
+  #   ips = [
+  #     "172.20.0.52/32"
+  #     # "fd73:7272:ed50::52/128"
+  #   ];
+  #   privateKeyFile = config.secrets.wireguard-serokell.decrypted;
+  #   peers = [{
+  #     allowedIPs = [
+  #       "0.0.0.0/0"
+  #       # "::/0"
+  #     ];
+  #     # endpoint = "serokell.net:35944";
+  #     endpoint = "147.75.100.17:35944";
+  #     publicKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
+  #     persistentKeepalive = 24;
+  #   }];
+  # };
+
+  services.ezwg = {
+    enable = true;
+    proxy = true;
+    lanSize = 32;
+    serverIP = "147.75.100.17";
+    serverPort = 35944;
+    serverKey = "sgLUARawWJejANs2CwuCptwJO55c4jkmnP0L14FNCyw=";
+    privateKeyFile = config.secrets.wireguard-wg0.decrypted;
+    vlanIP = "172.20.0.52";
   };
 
   # restart when the service fails to resolve DNS
diff --git a/modules/default.nix b/modules/default.nix
index 4f0b4d6..b2fb57c 100755
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -16,6 +16,7 @@ builtins.listToAttrs (builtins.map (path: {
   ./applications/yt-utilities.nix
   ./boot.nix
   ./devices.nix
+  ./ezwg.nix
   ./hardware.nix
   ./network.nix
   ./nix.nix
@@ -25,15 +26,15 @@ builtins.listToAttrs (builtins.map (path: {
   ./secrets.nix
   ./security.nix
   ./servers/gitea.nix
+  ./servers/home-assistant.nix
   ./servers/jitsi.nix
   ./servers/mailserver.nix
+  ./servers/mastodon.nix
   ./servers/matrix-synapse.nix
   ./servers/minidlna.nix
   ./servers/nextcloud.nix
   ./servers/nginx.nix
   ./servers/vsftpd.nix
-  ./servers/home-assistant.nix
-  ./servers/mastodon.nix
   ./services.nix
   ./themes.nix
   ./virtualisation.nix
diff --git a/modules/ezwg.nix b/modules/ezwg.nix
new file mode 100644
index 0000000..0a6978c
--- /dev/null
+++ b/modules/ezwg.nix
@@ -0,0 +1,78 @@
+# Kudos to https://github.com/notgne2
+
+{ config, lib, pkgs, ... }:
+with lib;
+let cfg = config.services.ezwg;
+in {
+  options.services.ezwg = {
+    enable = mkEnableOption "Enable simple Wireguard connection";
+    proxy = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Route all your traffic through this connection";
+    };
+    lanSize = mkOption {
+      type = types.int;
+      default = 24;
+      description = "Size of your VLAN (only relevant if proxy is false)";
+    };
+    serverIP = mkOption {
+      type = types.str;
+      description = "The IP of the wg server";
+    };
+    serverPort = mkOption {
+      type = types.int;
+      default = 51820;
+      description = "The port of the wg server";
+    };
+    serverKey = mkOption {
+      type = types.str;
+      description = "The public key of the wg server";
+    };
+    privateKeyFile = mkOption {
+      type = types.str;
+      description = "Private wg key";
+    };
+    vlanIP = mkOption {
+      type = types.str;
+      description = "The IP to use on the wg VLAN";
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.firewall.checkReversePath = false;
+    networking.wireguard.interfaces.wg0 = let
+      generateRangesScript =
+        builtins.toFile "exclusionary-wildcard-ranges-generator.py" ''
+          import ipaddress
+          n1 = ipaddress.ip_network('0.0.0.0/0')
+          n2 = ipaddress.ip_network('${cfg.serverIP}/32')
+          print(':'.join(list(map(lambda x: str(x), list(n1.address_exclude(n2))))), end="")
+        '';
+      rangesOutput = pkgs.runCommandNoCC "exclusionary-wildcard-ranges" { } ''
+        ${pkgs.python3}/bin/python3 ${generateRangesScript} > $out
+      '';
+      generateSubnetScript =
+        builtins.toFile "subnet-without-host-bits-generator.py" ''
+          import ipaddress
+          n1 = ipaddress.ip_network('${cfg.vlanIP}/${
+            toString cfg.lanSize
+          }', False)
+          print(n1, end="")
+        '';
+      subnetOutput = pkgs.runCommandNoCC "subnet-without-host-bits" { } ''
+        ${pkgs.python3}/bin/python3 ${generateSubnetScript} > $out
+      '';
+      ranges = lib.splitString ":" (builtins.readFile "${rangesOutput}");
+      subnet = builtins.readFile "${subnetOutput}";
+    in {
+      ips = [ "${cfg.vlanIP}/${toString cfg.lanSize}" ];
+      privateKeyFile = cfg.privateKeyFile;
+      peers = [{
+        publicKey = cfg.serverKey;
+        allowedIPs = if cfg.proxy then ranges else [ subnet ];
+        endpoint = "${cfg.serverIP}:${toString cfg.serverPort}";
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}
diff --git a/profiles/desktop.nix b/profiles/desktop.nix
index 3120719..c8d2aec 100644
--- a/profiles/desktop.nix
+++ b/profiles/desktop.nix
@@ -3,6 +3,7 @@
     ./base.nix
 
     applications
+    ezwg
     hardware
     power
     services