{ lib, config, pkgs, ... }: let cfg = config.pub-solar.wireguard.private; in { options.pub-solar.wireguard.private = { ownIPs = lib.mkOption { description = '' Internal ips in wireguard used for cluster control-plane communication. ''; type = lib.types.listOf lib.types.str; default = []; }; privateKeyFile = lib.mkOption { description = '' Location of private key file ''; type = lib.types.path; }; useDNS = lib.mkOption { description = '' Whether to use the wireguard DNS ''; default = true; type = lib.types.bool; }; fullTunnel = lib.mkOption { description = '' Whether to tunnel all traffic through the wireguard VPN ''; default = false; type = lib.types.bool; }; }; config = lib.mkIf (builtins.length cfg.ownIPs != 0) { networking.firewall.allowedUDPPorts = [51899]; systemd.network.wait-online.ignoredInterfaces = ["wg-private"]; systemd.services.wireguard-wg-private = import ./service-override.nix lib; networking.wireguard.interfaces = { wg-private = { listenPort = 51899; mtu = 1300; ips = cfg.ownIPs; privateKeyFile = cfg.privateKeyFile; postSetup = "" + ( if cfg.useDNS then '' ${pkgs.systemd}/bin/resolvectl dns wg-private 10.13.12.7 fd00:b12f:acab:1312:acab:7:: ${pkgs.systemd}/bin/resolvectl domain wg-private ~. '' else "" ) + ( if cfg.fullTunnel then '' defaultRoute=$(${pkgs.iproute2}/bin/ip r | ${pkgs.gnugrep}/bin/grep "default via" | head -n 1 | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 " " $5 }') ipv4=$(${pkgs.dnsutils}/bin/dig +short A vpn.b12f.io) ${pkgs.iproute2}/bin/ip route add $ipv4 metric 256 via $defaultRoute ipv6=$(${pkgs.dnsutils}/bin/dig +short AAAA vpn.b12f.io) ${pkgs.iproute2}/bin/ip route add $ipv6 metric 256 via $defaultRoute ip -4 route delete default dev wg-private || true ip -4 route replace default dev wg-private metric 512 ip -6 route delete default dev wg-private || true ip -6 route replace default dev wg-private metric 512 '' else "" ); peers = [ { # frikandel publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA="; allowedIPs = [ "10.13.12.0/24" "fd00:b12f:acab:1312::/64" ] ++ ( if cfg.fullTunnel then [ "0.0.0.0/0" "::/0" ] else [] ); endpoint = "vpn.b12f.io:51899"; dynamicEndpointRefreshSeconds = 30; } ]; }; }; }; }