feat(shared): add vpn

1 files changed, 46 insertions, 0 deletions

diff --git a/nixos/shared/vpn.nix b/nixos/shared/vpn.nix
new file mode 100644
index 0000000..44a4f2c
--- /dev/null
+++ b/nixos/shared/vpn.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+
+{
+  age.secrets.vpn-se-privKey.file = ../secrets/vpn-se-privKey.age;
+  age.secrets.vpn-se-presharedKey.file = ../secrets/vpn-se-presharedKey.age;
+
+  # We're creating the wireguard interfaces in network namespaces so that
+  # we can use them on demand:
+  # * for a command by prefixing it with `sudo ip netns exec <ns>`
+  # * for a systemd service by passing its config to joinWgNamespace from lib.nix
+
+  networking.wireguard = {
+    enable = true;
+
+    interfaces.wg-se = {
+      interfaceNamespace = "se";
+      ips = ["10.148.171.71/32"];
+      privateKeyFile = config.age.secrets.vpn-se-privKey.path;
+
+      peers = [
+        {
+          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+          presharedKeyFile = config.age.secrets.vpn-se-presharedKey.path;
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "se3.vpn.airdns.org:1637";
+        }
+      ];
+    };
+  };
+
+  systemd.services = {
+    # The interfaceNamespace configured for the wireguard interface needs to already exist.
+    # So we define a service to create it and add a `wants` dependency.
+    "netns@" = {
+      description = "%I network namespace";
+      before = ["network.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
+        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
+      };
+    };
+    wireguard-wg-se.wants = ["netns@se.service"];
+  };
+}