mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 04:38:44 +08:00
services.wireguard: auto deduce port
This commit is contained in:
parent
9e14036e57
commit
469919c75a
@ -12,8 +12,6 @@ inputs:
|
||||
wireguardIp = mkOption { type = types.nonEmptyStr; };
|
||||
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
lighthouse = mkOption { type = types.bool; default = false; };
|
||||
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
|
||||
bindPort = mkOption { type = types.ints.unsigned; default = 51820; };
|
||||
};});
|
||||
readOnly = true;
|
||||
default = # wg genkey | wg pubkey
|
||||
@ -31,24 +29,9 @@ inputs:
|
||||
wireguardIp = "192.168.83.2";
|
||||
externalIp = "95.111.228.40";
|
||||
};
|
||||
pc =
|
||||
{
|
||||
publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
|
||||
wireguardIp = "192.168.83.3";
|
||||
bindPort = 51821;
|
||||
};
|
||||
nas =
|
||||
{
|
||||
publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
|
||||
wireguardIp = "192.168.83.4";
|
||||
bindPort = 51821;
|
||||
};
|
||||
xmupc1 =
|
||||
{
|
||||
publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
|
||||
wireguardIp = "192.168.83.5";
|
||||
bindPort = 51821;
|
||||
};
|
||||
pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; };
|
||||
nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; };
|
||||
xmupc1 = { publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; wireguardIp = "192.168.83.5"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -59,25 +42,30 @@ inputs:
|
||||
inherit (builtins) map toString;
|
||||
in mkIf wireguard.enable
|
||||
{
|
||||
networking = let self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; in
|
||||
{
|
||||
firewall = { allowedUDPPorts = [ self.bindPort ]; trustedInterfaces = [ "wireguard" ]; };
|
||||
wireguard.interfaces.wireguard =
|
||||
networking =
|
||||
let
|
||||
self = wireguard._peer.${inputs.config.nixos.system.networking.hostname};
|
||||
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
|
||||
port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0);
|
||||
in
|
||||
{
|
||||
ips = [ "${self.wireguardIp}/24" ];
|
||||
listenPort = self.bindPort;
|
||||
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
|
||||
peers = map
|
||||
(peer:
|
||||
{
|
||||
publicKey = peer.publicKey;
|
||||
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
|
||||
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:${toString peer.bindPort}";
|
||||
persistentKeepalive = 3;
|
||||
})
|
||||
(map (peer: wireguard._peer.${peer}) wireguard.peers);
|
||||
firewall = { allowedUDPPorts = [ (toString port) ]; trustedInterfaces = [ "wireguard" ]; };
|
||||
wireguard.interfaces.wireguard =
|
||||
{
|
||||
ips = [ "${self.wireguardIp}/24" ];
|
||||
listenPort = port;
|
||||
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
|
||||
peers = map
|
||||
(peer:
|
||||
{
|
||||
publicKey = peer.publicKey;
|
||||
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
|
||||
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
|
||||
persistentKeepalive = 3;
|
||||
})
|
||||
(map (peer: wireguard._peer.${peer}) wireguard.peers);
|
||||
};
|
||||
};
|
||||
};
|
||||
sops.secrets."wireguard/privateKey" = {};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user