ref(nix): rename lib/ to nix/

Change-Id: If1e608b89b39bd5a53a37b873833a7ea881cb418
Reviewed-on: https://cl.fcuny.net/c/world/+/298
Reviewed-by: Franck Cuny <franck@fcuny.net>

1 files changed, 41 insertions, 0 deletions

diff --git a/nix/private-wireguard.nix b/nix/private-wireguard.nix
new file mode 100644
index 0000000..706dfd8
--- /dev/null
+++ b/nix/private-wireguard.nix
@@ -0,0 +1,41 @@
+{ lib, hostname, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML fromJSON;
+  secrets = config.age.secrets;
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in {
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = secrets."wireguard_privatekey".path;
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList (name: peer:
+          {
+            allowedIPs = [
+              "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+            ];
+            publicKey = peer.key;
+          } // lib.optionalAttrs (peer ? externalIp) {
+            endpoint = "${peer.externalIp}:${toString port}";
+          } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+            persistentKeepalive = 10;
+          }) otherPeers;
+      };
+    };
+  };
+}