services.wireguard: fix collision with xray

2024-10-23 06:18:52 +08:00 · 2023-12-07 17:41:51 +08:00 · 2023-12-07 17:41:51 +08:00 · 7dfcd83071
commit 7dfcd83071
parent b1d885f62c
1 changed files with 20 additions and 8 deletions
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -12,6 +12,8 @@ inputs:
        wireguardIp = mkOption { type = types.nonEmptyStr; };
        externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
        lighthouse = mkOption { type = types.bool; default = false; };
+        # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
+        bindPort = mkOption { type = types.ints.unsigned; default = 51820; };
      };});
      readOnly = true;
      default = # wg genkey | wg pubkey
@ -29,8 +31,18 @@ inputs:
          wireguardIp = "192.168.83.2";
          externalIp = "95.111.228.40";
        };
-        pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; };
-        nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; };
+        pc =
+        {
+          publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
+          wireguardIp = "192.168.83.3";
+          bindPort = 51821;
+        };
+        nas =
+        {
+          publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
+          wireguardIp = "192.168.83.4"; 
+          bindPort = 51821;
+        };
      };
    };
  };
@ -38,23 +50,23 @@ inputs:
    let
      inherit (inputs.lib) mkIf;
      inherit (inputs.config.nixos.services) wireguard;
-      inherit (builtins) map;
+      inherit (builtins) map toString;
    in mkIf wireguard.enable
    {
-      networking =
+      networking = let self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; in
      {
-        firewall.allowedUDPPorts = [ 51820 ];
+        firewall.allowedUDPPorts = [ self.bindPort ];
        wireguard.interfaces.wireguard =
        {
-          ips = [ "${wireguard._peer.${inputs.config.nixos.system.networking.hostname}.wireguardIp}/24" ];
-          listenPort = 51820;
+          ips = [ "${self.wireguardIp}/24" ];
+          listenPort = self.bindPort;
          privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
          peers = map
            (peer:
            {
              publicKey = peer.publicKey;
              allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
-              endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
+              endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:${toString peer.bindPort}";
              persistentKeepalive = 3;
            })
            (map (peer: wireguard._peer.${peer}) wireguard.peers);