64 lines
2 KiB
Nix
64 lines
2 KiB
Nix
{ self, config, pkgs, ... }:
|
|
|
|
{
|
|
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
|
|
|
|
|
|
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
|
|
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
|
|
|
|
# Enable WireGuard
|
|
networking.wireguard.interfaces = {
|
|
wg1 = {
|
|
# Determines the IP address and subnet of the client's end of the tunnel interface.
|
|
ips = [ "10.0.1.5" ];
|
|
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
|
|
|
# Path to the private key file.
|
|
#
|
|
# Note: The private key can also be included inline via the privateKey option,
|
|
# but this makes the private key world-readable; thus, using privateKeyFile is
|
|
# recommended.
|
|
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
|
|
|
peers = [
|
|
# For a client configuration, one peer entry for the server will suffice.
|
|
|
|
{
|
|
# giggles
|
|
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
|
|
allowedIPs = [ "10.0.1.11/32" ];
|
|
|
|
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
|
persistentKeepalive = 25;
|
|
}
|
|
{
|
|
# cox
|
|
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
|
|
allowedIPs = [ "10.0.1.12/32" ];
|
|
|
|
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
|
persistentKeepalive = 25;
|
|
}
|
|
{
|
|
# companion
|
|
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
|
|
allowedIPs = [ "10.0.1.13/32" ];
|
|
|
|
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
|
persistentKeepalive = 25;
|
|
}
|
|
|
|
{
|
|
# hsha
|
|
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
|
|
allowedIPs = [ "10.0.1.254/32" ];
|
|
|
|
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|