blob: 44a4f2cbc43ef9d239ac026c40c75e2cefe15c02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
{ config, pkgs, ... }:
{
age.secrets.vpn-se-privKey.file = ../secrets/vpn-se-privKey.age;
age.secrets.vpn-se-presharedKey.file = ../secrets/vpn-se-presharedKey.age;
# We're creating the wireguard interfaces in network namespaces so that
# we can use them on demand:
# * for a command by prefixing it with `sudo ip netns exec <ns>`
# * for a systemd service by passing its config to joinWgNamespace from lib.nix
networking.wireguard = {
enable = true;
interfaces.wg-se = {
interfaceNamespace = "se";
ips = ["10.148.171.71/32"];
privateKeyFile = config.age.secrets.vpn-se-privKey.path;
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = config.age.secrets.vpn-se-presharedKey.path;
allowedIPs = ["0.0.0.0/0"];
endpoint = "se3.vpn.airdns.org:1637";
}
];
};
};
systemd.services = {
# The interfaceNamespace configured for the wireguard interface needs to already exist.
# So we define a service to create it and add a `wants` dependency.
"netns@" = {
description = "%I network namespace";
before = ["network.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
wireguard-wg-se.wants = ["netns@se.service"];
};
}
|
