{ lib, config, pkgs, ... }: with lib; let psCfg = config.pub-solar; cfg = config.pub-solar.wireguard-client; in { options.pub-solar.wireguard-client = { ownIPs = mkOption { description = '' Internal ips in wireguard used for cluster control-plane communication. ''; type = types.listOf types.str; }; wireguardPrivateKeyFile = mkOption { description = '' Location of private key file ''; type = types.path; }; useDNS = mkOption { description = '' Whether to use the wireguard DNS ''; default = true; type = types.bool; }; fullTunnel = mkOption { description = '' Whether to tunnel all traffic through the wireguard VPN ''; default = false; type = types.bool; }; }; config = { networking.firewall.allowedUDPPorts = [51899]; systemd.services.wireguard-wg0 = { after = [ "network.target" "network-online.target" "nss-lookup.target" ]; serviceConfig = { Type = mkForce "simple"; Restart = "on-failure"; RestartSec = "30"; }; environment = { WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; }; }; networking.wireguard.interfaces = { wg0 = { listenPort = 51899; mtu = 1300; ips = cfg.ownIPs; privateKeyFile = cfg.wireguardPrivateKeyFile; postSetup = lib.mkIf cfg.useDNS '' printf "nameserver 10.13.12.7\nnameserver fd00:b12f:acab:1312:acab:7::" | resolvconf -a wg0 -m 0 -x ''; postShutdown = lib.mkIf cfg.useDNS '' resolvconf -d wg0 -f ''; peers = [ { # frikandel publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA="; allowedIPs = [ "10.13.12.0/24" "fd00:b12f:acab:1312::/64" ] ++ (if cfg.fullTunnel then [ "0.0.0.0/0" "::/0" ] else []); endpoint = "vpn.b12f.io:51899"; persistentKeepalive = 25; } ]; }; }; }; }