2 files changed, 80 insertions, 0 deletions

diff --git a/nix/default.nix b/nix/default.nix
new file mode 100644
index 0000000..8b46c58
--- /dev/null
+++ b/nix/default.nix
@@ -0,0 +1,39 @@
+{ inputs }:
+
+{
+  mkSystem =
+    { hostname
+    , system
+    }:
+    inputs.nixpkgs.lib.nixosSystem {
+      inherit system;
+      specialArgs = {
+        inherit inputs system hostname;
+      };
+      modules = [
+        ../modules
+        ../hosts/${hostname}
+        ./private-wireguard.nix
+        {
+          networking.hostName = hostname;
+          nixpkgs = {
+            config.allowUnfree = true;
+            overlays = [
+              inputs.emacs-overlay.overlay
+              inputs.nur.overlay
+              (final: prev: {
+                tools = {
+                  gerrit-hook = import ../tools/gerrit-hook final;
+                };
+              })
+            ];
+          };
+          # Add each input as a registry
+          nix.registry = inputs.nixpkgs.lib.mapAttrs'
+            (n: v:
+              inputs.nixpkgs.lib.nameValuePair (n) ({ flake = v; }))
+            inputs;
+        }
+      ];
+    };
+}
diff --git a/nix/private-wireguard.nix b/nix/private-wireguard.nix
new file mode 100644
index 0000000..706dfd8
--- /dev/null
+++ b/nix/private-wireguard.nix
@@ -0,0 +1,41 @@
+{ lib, hostname, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption mkIf types;
+  inherit (builtins) readFile fromTOML fromJSON;
+  secrets = config.age.secrets;
+  cfg = config.networking.private-wireguard;
+  port = 51871;
+  wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
+  allPeers = wgcfg.peers;
+  thisPeer = allPeers."${hostname}" or null;
+  otherPeers = lib.filterAttrs (n: v: n != hostname) allPeers;
+in {
+  options.networking.private-wireguard = {
+    enable = mkEnableOption "Enable private wireguard vpn connection";
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking = {
+      wireguard.interfaces.wg0 = {
+        listenPort = port;
+        privateKeyFile = secrets."wireguard_privatekey".path;
+        ips = [
+          "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
+        ];
+
+        peers = lib.mapAttrsToList (name: peer:
+          {
+            allowedIPs = [
+              "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
+            ];
+            publicKey = peer.key;
+          } // lib.optionalAttrs (peer ? externalIp) {
+            endpoint = "${peer.externalIp}:${toString port}";
+          } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
+            persistentKeepalive = 10;
+          }) otherPeers;
+      };
+    };
+  };
+}