services.wireguard: auto deduce port

2024-10-23 04:38:44 +08:00 · 2023-12-14 23:34:03 +08:00 · 2023-12-14 23:34:03 +08:00 · 469919c75a
commit 469919c75a
parent 9e14036e57
1 changed files with 25 additions and 37 deletions
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -12,8 +12,6 @@ inputs:
        wireguardIp = mkOption { type = types.nonEmptyStr; };
        externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
        lighthouse = mkOption { type = types.bool; default = false; };
-        # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
-        bindPort = mkOption { type = types.ints.unsigned; default = 51820; };
      };});
      readOnly = true;
      default = # wg genkey | wg pubkey
@ -31,24 +29,9 @@ inputs:
          wireguardIp = "192.168.83.2";
          externalIp = "95.111.228.40";
        };
-        pc =
-        {
-          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
-          wireguardIp = "192.168.83.3";
-          bindPort = 51821;
-        };
-        nas =
-        {
-          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
-          wireguardIp = "192.168.83.4"; 
-          bindPort = 51821;
-        };
-        xmupc1 =
-        {
-          publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
-          wireguardIp = "192.168.83.5";
-          bindPort = 51821;
-        };
+        pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; };
+        nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; };
+        xmupc1 = { publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; wireguardIp = "192.168.83.5"; };
      };
    };
  };
@ -59,25 +42,30 @@ inputs:
      inherit (builtins) map toString;
    in mkIf wireguard.enable
    {
-      networking = let self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; in
-      {
-        firewall = { allowedUDPPorts = [ self.bindPort ]; trustedInterfaces = [ "wireguard" ]; };
-        wireguard.interfaces.wireguard =
+      networking =
+        let
+          self = wireguard._peer.${inputs.config.nixos.system.networking.hostname};
+          # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
+          port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0);
+        in
        {
-          ips = [ "${self.wireguardIp}/24" ];
-          listenPort = self.bindPort;
-          privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
-          peers = map
-            (peer:
-            {
-              publicKey = peer.publicKey;
-              allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
-              endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:${toString peer.bindPort}";
-              persistentKeepalive = 3;
-            })
-            (map (peer: wireguard._peer.${peer}) wireguard.peers);
+          firewall = { allowedUDPPorts = [ (toString port) ]; trustedInterfaces = [ "wireguard" ]; };
+          wireguard.interfaces.wireguard =
+          {
+            ips = [ "${self.wireguardIp}/24" ];
+            listenPort = port;
+            privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
+            peers = map
+              (peer:
+              {
+                publicKey = peer.publicKey;
+                allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
+                endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
+                persistentKeepalive = 3;
+              })
+              (map (peer: wireguard._peer.${peer}) wireguard.peers);
+          };
        };
-      };
      sops.secrets."wireguard/privateKey" = {};
    };
 }