tlaternet-server/configuration/services/wireguard.nix

{ config, ... }:
{
  # iptables needs to permit forwarding from wg0 to wg0
  networking.firewall.extraCommands = ''
    iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
    # This ensures that we send messages with the correct MTU to any
    # connecting host; without it, the weirdest errors occur
    iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  '';

  systemd.network = {
    netdevs = {
      "20-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
          Description = "wg0 - wireguard tunnel";
        };

        wireguardConfig = {
          ListenPort = 51820;
          PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
          # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
        };

        wireguardPeers = [
          # yui
          {
            AllowedIPs = [ "10.45.249.2/32" ];
            PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
          }
        ];
      };
    };

    networks = {
      "20-wg0" = {
        matchConfig.Name = "wg0";

        networkConfig = {
          Description = "VLAN";

          Address = [
            "10.45.249.1/32"
            # TODO(tlater): Add IPv6 whenever that becomes relevant
          ];

          IPv4Forwarding = "yes";
          IPv4ProxyARP = "yes";
        };

        routes = [
          {
            Source = "10.45.249.0/24";
            Destination = "10.45.249.0/24";
            Gateway = "10.45.249.1";
            GatewayOnLink = "no";
          }
        ];

        linkConfig.RequiredForOnline = "no";
      };
    };
  };
}
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`{ config, ... }:`
			`{`
			`# iptables needs to permit forwarding from wg0 to wg0`
			`networking.firewall.extraCommands = ''`
			`iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT`
			`# This ensures that we send messages with the correct MTU to any`
			`# connecting host; without it, the weirdest errors occur`
			`iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`
			`'';`

			`systemd.network = {`
			`netdevs = {`
			`"20-wg0" = {`
			`netdevConfig = {`
			`Name = "wg0";`
			`Kind = "wireguard";`
			`Description = "wg0 - wireguard tunnel";`
			`};`

			`wireguardConfig = {`
			`ListenPort = 51820;`
			`PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;`
			`# Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=`
			`};`

			`wireguardPeers = [`
bump: Update to NixOS 24.11 2025-01-18 16:09:40 +00:00			`# yui`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`{`
bump: Update to NixOS 24.11 2025-01-18 16:09:40 +00:00			`AllowedIPs = [ "10.45.249.2/32" ];`
			`PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`}`
			`];`
			`};`
			`};`

			`networks = {`
			`"20-wg0" = {`
			`matchConfig.Name = "wg0";`

			`networkConfig = {`
bump: Update to NixOS 24.11 2025-01-18 16:09:40 +00:00			`Description = "VLAN";`

services: Add wireguard service 2023-04-23 23:42:25 +01:00			`Address = [`
			`"10.45.249.1/32"`
			`# TODO(tlater): Add IPv6 whenever that becomes relevant`
			`];`

bump: Update to NixOS 24.11 2025-01-18 16:09:40 +00:00			`IPv4Forwarding = "yes";`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`IPv4ProxyARP = "yes";`
			`};`

			`routes = [`
			`{`
bump: Update to NixOS 24.11 2025-01-18 16:09:40 +00:00			`Source = "10.45.249.0/24";`
			`Destination = "10.45.249.0/24";`
			`Gateway = "10.45.249.1";`
			`GatewayOnLink = "no";`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`}`
			`];`

			`linkConfig.RequiredForOnline = "no";`
			`};`
			`};`
			`};`
			`}`
No results found.