1 files changed, 58 insertions, 0 deletions

diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix
new file mode 100644
index 0000000..a080693
--- /dev/null
+++ b/profiles/wireguard.nix
@@ -0,0 +1,58 @@
+{ config, lib, ... }:
+
+let
+  wgHosts = {
+    bree = {
+      ip = 40;
+      publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+      endpoint = "192.168.1.50";
+    };
+    argonath = {
+      ip = 51;
+      publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
+      endpoint = "157.230.146.234";
+    };
+    rivendell = {
+      ip = 60;
+      publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+      endpoint = "192.168.1.114";
+    };
+  };
+
+  wgPort = 51820;
+  wgSubnet = "10.100.0";
+
+  currentHostname = config.networking.hostName;
+  currentHost =
+    wgHosts.${currentHostname}
+      or (throw "Host ${currentHostname} not found in wireguard configuration");
+
+  peers = lib.mapAttrsToList (
+    _hostname: hostCfg:
+    {
+      publicKey = hostCfg.publicKey;
+      allowedIPs = [ "${wgSubnet}.${toString hostCfg.ip}/32" ];
+      persistentKeepalive = 25;
+    }
+    // lib.optionalAttrs (hostCfg.endpoint != null) {
+      endpoint = "${hostCfg.endpoint}:${toString wgPort}";
+    }
+  ) (lib.filterAttrs (n: _v: n != currentHostname) wgHosts);
+
+in
+{
+  age.secrets.wireguard.file = ../secrets/${currentHostname}/wireguard.age;
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "${wgSubnet}.${toString currentHost.ip}/32" ];
+      listenPort = wgPort;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      inherit peers;
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ wgPort ];
+}