From 469919c75a841291b9cf06704fd5a92114ab0617 Mon Sep 17 00:00:00 2001 From: chn Date: Thu, 14 Dec 2023 23:34:03 +0800 Subject: [PATCH] services.wireguard: auto deduce port --- modules/services/wireguard.nix | 62 ++++++++++++++-------------------- 1 file changed, 25 insertions(+), 37 deletions(-) diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index d0a56fb0..a321f566 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -12,8 +12,6 @@ inputs: wireguardIp = mkOption { type = types.nonEmptyStr; }; externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; lighthouse = mkOption { type = types.bool; default = false; }; - # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820 - bindPort = mkOption { type = types.ints.unsigned; default = 51820; }; };}); readOnly = true; default = # wg genkey | wg pubkey @@ -31,24 +29,9 @@ inputs: wireguardIp = "192.168.83.2"; externalIp = "95.111.228.40"; }; - pc = - { - publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; - wireguardIp = "192.168.83.3"; - bindPort = 51821; - }; - nas = - { - publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; - wireguardIp = "192.168.83.4"; - bindPort = 51821; - }; - xmupc1 = - { - publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; - wireguardIp = "192.168.83.5"; - bindPort = 51821; - }; + pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; }; + nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; }; + xmupc1 = { publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; wireguardIp = "192.168.83.5"; }; }; }; }; @@ -59,25 +42,30 @@ inputs: inherit (builtins) map toString; in mkIf wireguard.enable { - networking = let self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; in - { - firewall = { allowedUDPPorts = [ self.bindPort ]; trustedInterfaces = [ "wireguard" ]; }; - wireguard.interfaces.wireguard = + networking = + let + self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; + # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820 + port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0); + in { - ips = [ "${self.wireguardIp}/24" ]; - listenPort = self.bindPort; - privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path; - peers = map - (peer: - { - publicKey = peer.publicKey; - allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ]; - endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:${toString peer.bindPort}"; - persistentKeepalive = 3; - }) - (map (peer: wireguard._peer.${peer}) wireguard.peers); + firewall = { allowedUDPPorts = [ (toString port) ]; trustedInterfaces = [ "wireguard" ]; }; + wireguard.interfaces.wireguard = + { + ips = [ "${self.wireguardIp}/24" ]; + listenPort = port; + privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path; + peers = map + (peer: + { + publicKey = peer.publicKey; + allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ]; + endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820"; + persistentKeepalive = 3; + }) + (map (peer: wireguard._peer.${peer}) wireguard.peers); + }; }; - }; sops.secrets."wireguard/privateKey" = {}; }; }