services.wireguard: fix

2026-01-12 04:39:23 +08:00 · 2024-01-19 19:45:56 +08:00
parent b2532ef44d
commit 914eea92b6
3 changed files with 74 additions and 31 deletions
--- a/devices/vps6/default.nix
+++ b/devices/vps6/default.nix
@@ -75,7 +75,7 @@ inputs:
          peers = [ "pc" "nas" "vps7" ];
          publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
          wireguardIp = "192.168.83.1";
-          externalIp = "74.211.99.69";
+          listenIp = "74.211.99.69";
          lighthouse = true;
        };
      };
--- a/devices/vps7/default.nix
+++ b/devices/vps7/default.nix
@@ -72,7 +72,7 @@ inputs:
          peers = [ "vps6" ];
          publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
          wireguardIp = "192.168.83.2";
-          externalIp = "95.111.228.40";
+          listenIp = "95.111.228.40";
        };
      };
    };
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -3,45 +3,88 @@ inputs:
  options.nixos.services.wireguard = let inherit (inputs.lib) mkOption types; in
  {
    enable = mkOption { type = types.bool; default = false; };
-    peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
    # wg genkey | wg pubkey
    publicKey = mkOption { type = types.nonEmptyStr; };
-    wireguardIp = mkOption { type = types.nonEmptyStr; };
-    externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
    lighthouse = mkOption { type = types.bool; default = false; };
+    behindNat = mkOption
+    {
+      type = types.bool;
+      default = inputs.config.nixos.services.xray.client.enable;
+    };
+    listenIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+    # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
+    listenPort = mkOption
+    {
+      type = types.ints.unsigned;
+      default = if inputs.config.nixos.services.wireguard.behindNat then 51821 else 51820;
+    };
+    wireguardIp = mkOption { type = types.nonEmptyStr; };
+    peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
  };
  config =
    let
-      inherit (inputs.lib) mkIf;
+      inherit (inputs.lib) mkIf mkMerge;
      inherit (inputs.config.nixos.services) wireguard;
-      inherit (builtins) map toString;
-    in mkIf wireguard.enable
-    {
-      networking =
-        let
-          # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
-          port = 51820 + (if inputs.config.nixos.services.xray.client.enable then 1 else 0);
-        in
+      inherit (builtins) map toString listToAttrs filter;
+    in mkMerge
+    [
+      {
+        assertions =
+        [{
+          assertion = !wireguard.behindNat -> wireguard.listenIp != null;
+          message = "wireguard.listenIp should be not null when behindNat is false.";
+        }];
+      }
+      (
+        mkIf wireguard.enable
        {
-          firewall = { allowedUDPPorts = [ port ]; trustedInterfaces = [ "wireguard" ]; };
-          wireguard.interfaces.wireguard =
+          networking =
          {
-            ips = [ "${wireguard.wireguardIp}/24" ];
-            listenPort = port;
-            privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
-            peers = map
+            firewall = { allowedUDPPorts = [ wireguard.listenPort ]; trustedInterfaces = [ "wireguard" ]; };
+            wireguard.interfaces.wireguard =
+            {
+              ips = [ "${wireguard.wireguardIp}/24" ];
+              inherit (wireguard) listenPort;
+              privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
+              peers = map
+                (peer:
+                {
+                  publicKey = peer.publicKey;
+                  allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
+                  endpoint = mkIf (!peer.behindNat) "${peer.listenIp}:${builtins.toString peer.listenPort}";
+                  persistentKeepalive = 3;
+                })
+                (map
+                  (peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
+                  wireguard.peers);
+            };
+          };
+          sops.secrets."wireguard/privateKey" = {};
+          # somehow fix wireguard connection
+          systemd.services = mkIf wireguard.behindNat (listToAttrs (map
+            (peer:
+            {
+              name = "wireguard-ping-${peer.name}";
+              value =
+              {
+                description = "ping ${peer.name}";
+                after = [ "network.target" ];
+                wantedBy = [ "multi-user.target" ];
+                serviceConfig =
+                {
+                  ExecStart = "${inputs.pkgs.iputils}/bin/ping -i 3 ${peer.value.wireguardIp}";
+                  Restart = "always";
+                };
+              };
+            })
+            (filter (peer: !peer.value.behindNat) (map
              (peer:
              {
-                publicKey = peer.publicKey;
-                allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
-                endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
-                persistentKeepalive = 3;
+                name = peer;
+                value = inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard;
              })
-              (map
-                (peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
-                wireguard.peers);
-          };
-        };
-      sops.secrets."wireguard/privateKey" = {};
-    };
+              wireguard.peers))));
+        }
+      )
+    ];
 }