1{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let2 cfg = config.networking.wireguard;3 genWgKey = { owners }: {4 inherit owners;5 generator = mkSecret (6 { pkgs, encryptCmd }: {7 utils = [ pkgs.wireguard-tools ];8 script = ''9 key=$(wg genkey)10 pub=$(echo $key | wg pubkey)1112 mkdir -p $out13 echo $key | ${encryptCmd} >$out/key14 echo $pub >$out/pub_key15 '';16 }17 );18 };19 genWgPsk = { owners }: {20 inherit owners;21 generator = mkSecret (22 { pkgs, encryptCmd }: {23 utils = [ pkgs.wireguard-tools ];24 script = ''25 key=$(wg genpsk)2627 mkdir -p $out28 echo $key | ${encryptCmd} >$out/key29 '';30 }31 );32 };3334 hostKeys = listToAttrs (35 map (36 hostName: {37 name = "wg-key-${hostName}";38 value = genWgKey {39 owners = [ hostName ];40 };41 }42 )43 hostNames44 );45 psks = listToAttrs (46 map (47 { a, b }: {48 name = "wg-psk-${a}-${b}";49 value = genWgPsk {50 owners = [ a b ];51 };52 }53 )54 hostsCartesian55 );56in57{58 options.networking.wireguard = with types; {59 enable = mkEnableOption "wireguard";60 interface = mkOption {61 type = str;62 description = "Interface name for wireguard network";63 default = "fleet";64 };65 port = mkOption {66 type = int;67 description = "Port, on which wireguard interface should listen";68 default = 51871;69 };70 allowedIPs = mkOption {71 type = attrsOf (listOf str);72 description = "Per host allowed ips";73 };74 };75 config = mkIf cfg.enable {76 secrets =77 (hostKeys // psks);78 hosts = hostsToAttrs (79 hostName: {80 modules = [81 {82 networking.wireguard.enable = true;83 networking.wireguard.interfaces.fleetwg = {84 privateKeyFile = "/run/secrets/wg-key-${hostName}";85 peers = map (86 peer: let87 pair = hostsPair hostName peer;88 in89 {90 publicKey = config.secrets."wg-key-${peer}".data.key;91 presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";92 allowedIPs = cfg.allowedIPs.${peer};93 }94 ) hostNames;95 };96 }97 ];98 }99 );100 };101}