nixos/shared/vpn.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

{ config, pkgs, ... }:

{
  age.secrets.vpn-se-privKey.file = ../secrets/vpn-se-privKey.age;

  # We're creating the wireguard interfaces in network namespaces so that
  # we can use them on demand:
  # * for a command by prefixing it with `sudo ip netns exec <ns>`
  # * for a systemd service by passing its config to joinWgNamespace from helpers.nix

  networking.wireguard = {
    enable = true;

    interfaces.wg-se = {
      interfaceNamespace = "se";
      ips = ["10.128.241.130/32"];
      privateKeyFile = config.age.secrets.vpn-se-privKey.path;

      peers = [
        {
          publicKey = "sb61ho9MhaxhJd6WSrryVmknq0r6oHEW7PP5i4lzAgM=";
          allowedIPs = ["0.0.0.0/0"];
          endpoint = "se.gw.xeovo.com:51820";
        }
      ];
    };
  };

  systemd.services = {
    # The interfaceNamespace configured for the wireguard interface needs to already exist.
    # So we define a service to create it and add a `wants` dependency.
    "netns@" = {
      description = "%I network namespace";
      before = ["network.target"];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
      };
    };
    wireguard-wg-se.wants = ["netns@se.service"];
  };
}