-
Notifications
You must be signed in to change notification settings - Fork 0
/
wg-client.nix
81 lines (67 loc) · 2.18 KB
/
wg-client.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
{ config, ... }:
let
endpoint-public-key = "O/PnMwnoWHozT5oLcKJhYRw+h3+lCSRS/hr8DiHDoAM=";
endpoint-ip = "10.0.0.1/32";
remote-interface-name = "remote";
remote-endpoint = "vpn.atarbinian.com:51820";
home-interface-name = "home";
home-endpoint = "192.168.1.62:51820";
framework-ip = "10.0.0.14/32";
framework-dns = "9.9.9.9";
in
{
age.secrets.wg-private-framework.file = ../../secrets/wg-private-framework.age;
# Setting up nmconnection files so NetworkManager can use them for connecting to Wireguard VPN.
# nmconnection files are created with nmcli: "nmcli connection import type wireguard file wg0.conf"
#
# Files must by owned by root with perms 0600 or networkmanager will ignore them
# https://unix.stackexchange.com/a/619415
environment.etc."NetworkManager/system-connections/${remote-interface-name}.nmconnection" = {
mode = "0600";
text = ''
[connection]
id=${remote-interface-name}
uuid=a3e84326-d2a0-472e-b794-0ae36eeb7d08
type=wireguard
interface-name=${remote-interface-name}
autoconnect=false
[wireguard]
private-key=${builtins.readFile config.age.secrets.wg-private-framework.path}
[wireguard-peer.${endpoint-public-key}]
endpoint=${remote-endpoint}
allowed-ips=${endpoint-ip};
[ipv4]
address1=${framework-ip}
dns=${framework-dns};
ignore-auto-dns=true
method=manual
[ipv6]
addr-gen-mode=default
method=disabled
'';
};
environment.etc."NetworkManager/system-connections/${home-interface-name}.nmconnection" = {
mode = "0600";
text = ''
[connection]
id=${home-interface-name}
uuid=7c4dd788-4012-435e-a9b7-dcf76df5b904
type=wireguard
interface-name=${home-interface-name}
autoconnect=false
[wireguard]
private-key=${builtins.readFile config.age.secrets.wg-private-framework.path}
[wireguard-peer.${endpoint-public-key}]
endpoint=${home-endpoint}
allowed-ips=${endpoint-ip};
[ipv4]
address1=${framework-ip}
dns=${framework-dns};
ignore-auto-dns=true
method=manual
[ipv6]
addr-gen-mode=default
method=disabled
'';
};
}