{ lib, config, pkgs, ... }: with lib; let psCfg = config.pub-solar; cfg = config.pub-solar.wireguard.private; in { options.pub-solar.wireguard.private = { ownIPs = mkOption { description = '' Internal ips in wireguard used for cluster control-plane communication. ''; type = types.listOf types.str; default = []; }; privateKeyFile = mkOption { description = '' Location of private key file ''; type = types.path; }; useDNS = mkOption { description = '' Whether to use the wireguard DNS ''; default = true; type = types.bool; }; fullTunnel = mkOption { description = '' Whether to tunnel all traffic through the wireguard VPN ''; default = false; type = types.bool; }; }; config = mkIf (builtins.length cfg.ownIPs != 0) { networking.firewall.allowedUDPPorts = [51899]; systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ]; systemd.services.wireguard-wg-private = { wantedBy = [ "network.target" "network-online.target" "nss-lookup.target" ]; serviceConfig = { Type = mkForce "simple"; Restart = "on-failure"; RestartSec = "10"; }; environment = { WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; }; }; networking.wireguard.interfaces = { wg-private = { listenPort = 51899; mtu = 1300; ips = cfg.ownIPs; privateKeyFile = cfg.privateKeyFile; postSetup = "" + (if cfg.useDNS then '' printf "nameserver 10.13.12.7\nnameserver fd00:b12f:acab:1312:acab:7::" | resolvconf -a wg-private -m 0 -x '' else "") + (if cfg.fullTunnel then '' defaultRoute=$(${pkgs.iproute2}/bin/ip r | ${pkgs.gnugrep}/bin/grep "default via" | head -n 1 | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 " " $5 }') ipv4=$(${pkgs.dnsutils}/bin/dig +short A vpn.b12f.io) ${pkgs.iproute2}/bin/ip route add $ipv4 metric 256 via $defaultRoute ipv6=$(${pkgs.dnsutils}/bin/dig +short AAAA vpn.b12f.io) ${pkgs.iproute2}/bin/ip route add $ipv6 metric 256 via $defaultRoute ip -4 route delete default dev wg-private || true ip -4 route replace default dev wg-private metric 512 ip -6 route delete default dev wg-private || true ip -6 route replace default dev wg-private metric 512 '' else ""); postShutdown = lib.mkIf cfg.useDNS '' resolvconf -d wg-private -f ''; peers = [ { # frikandel publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA="; allowedIPs = [ "10.13.12.0/24" "fd00:b12f:acab:1312::/64" ] ++ (if cfg.fullTunnel then [ "0.0.0.0/0" "::/0" ] else []); endpoint = "vpn.b12f.io:51899"; dynamicEndpointRefreshSeconds = 30; } ]; }; }; }; }