43 lines
1.4 KiB
Nix
43 lines
1.4 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
networking.firewall.allowedUDPPorts = [51820];
|
|
|
|
networking.wireguard = {
|
|
enable = true;
|
|
interfaces = {
|
|
# network interface name.
|
|
# You can name the interface arbitrarily.
|
|
wg0 = {
|
|
# the IP address and subnet of this peer
|
|
#ips = ["fc00:5182::1:2/112"];
|
|
ips = [config.local.wireguard-peer-ip];
|
|
|
|
# WireGuard Port
|
|
# Must be accessible by peers
|
|
listenPort = config.local.wireguard-peer-port or 51820;
|
|
|
|
peers = [
|
|
{
|
|
## NOTE! CHECK THE .sops.yaml and RUN SOPS `sops updatekeys`!
|
|
name = config.local.wireguard-peer-name or "default-wireguard-peer";
|
|
publicKey = config.sops.secrets.wireguard_public;
|
|
preSharedKey = config.sops.secrets.wireguard_preshared;
|
|
allowedIPs = [
|
|
"::/0" # Route all IPv6 traffic through the VPN, TODO: Dynamic Function to choose between different options
|
|
];
|
|
endpoint = "wireguard.prg-radio.org:51820";
|
|
# ToDo: route to endpoint not automatically configured
|
|
# https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
|
|
# https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
|
|
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
|
persistentKeepalive = 60;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|