91 lines
2.9 KiB
Nix
91 lines
2.9 KiB
Nix
# Kudos to https://github.com/notgne2
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
with lib;
|
|
let cfg = config.services.ezwg;
|
|
in {
|
|
options.services.ezwg = {
|
|
enable = mkEnableOption "Enable simple Wireguard connection";
|
|
proxy = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "Route all your traffic through this connection";
|
|
};
|
|
lanSize = mkOption {
|
|
type = types.int;
|
|
default = 24;
|
|
description = "Size of your VLAN (only relevant if proxy is false)";
|
|
};
|
|
serverIP = mkOption {
|
|
type = types.str;
|
|
description = "The IP of the wg server";
|
|
};
|
|
serverPort = mkOption {
|
|
type = types.int;
|
|
default = 51820;
|
|
description = "The port of the wg server";
|
|
};
|
|
serverKey = mkOption {
|
|
type = types.str;
|
|
description = "The public key of the wg server";
|
|
};
|
|
privateKeyFile = mkOption {
|
|
type = types.str;
|
|
description = "Private wg key";
|
|
};
|
|
vlanIP = mkOption {
|
|
type = types.str;
|
|
description = "The IP to use on the wg VLAN";
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
networking.firewall.checkReversePath = false;
|
|
systemd.services.wireguard-wg0.wantedBy = lib.mkForce [ ];
|
|
systemd.paths.wireguard-wg0.wantedBy = lib.mkForce [ ];
|
|
systemd.services."wireguard-wg0-peer-${
|
|
lib.replaceChars [ "/" "-" " " "+" "=" ] [
|
|
"-"
|
|
"\\x2d"
|
|
"\\x20"
|
|
"\\x2b"
|
|
"\\x3d"
|
|
] cfg.serverKey
|
|
}".wantedBy = lib.mkForce [ ];
|
|
|
|
networking.wireguard.interfaces.wg0 = let
|
|
generateRangesScript =
|
|
builtins.toFile "exclusionary-wildcard-ranges-generator.py" ''
|
|
import ipaddress
|
|
n1 = ipaddress.ip_network('0.0.0.0/0')
|
|
n2 = ipaddress.ip_network('${cfg.serverIP}/32')
|
|
print(':'.join(list(map(lambda x: str(x), list(n1.address_exclude(n2))))), end="")
|
|
'';
|
|
rangesOutput = pkgs.runCommandNoCC "exclusionary-wildcard-ranges" { } ''
|
|
${pkgs.python3}/bin/python3 ${generateRangesScript} > $out
|
|
'';
|
|
generateSubnetScript =
|
|
builtins.toFile "subnet-without-host-bits-generator.py" ''
|
|
import ipaddress
|
|
n1 = ipaddress.ip_network('${cfg.vlanIP}/${
|
|
toString cfg.lanSize
|
|
}', False)
|
|
print(n1, end="")
|
|
'';
|
|
subnetOutput = pkgs.runCommandNoCC "subnet-without-host-bits" { } ''
|
|
${pkgs.python3}/bin/python3 ${generateSubnetScript} > $out
|
|
'';
|
|
ranges = lib.splitString ":" (builtins.readFile "${rangesOutput}");
|
|
subnet = builtins.readFile "${subnetOutput}";
|
|
in {
|
|
ips = [ "${cfg.vlanIP}/${toString cfg.lanSize}" ];
|
|
privateKeyFile = cfg.privateKeyFile;
|
|
peers = [{
|
|
publicKey = cfg.serverKey;
|
|
allowedIPs = if cfg.proxy then ranges else [ subnet ];
|
|
endpoint = "${cfg.serverIP}:${toString cfg.serverPort}";
|
|
persistentKeepalive = 25;
|
|
}];
|
|
};
|
|
};
|
|
}
|