sixnix/modules/wireguard.nix

{ config, lib, pkgs, ... }:

let
  inherit (lib) mkOption types;

  wgConfigType = types.listOf (types.submodule {
    options = {
      interface = mkOption {
        type = types.str;
        description = "WireGuard interface name.";
      };
      serverAddress = mkOption {
        type = types.str;
        description =
          "IPv6 address/prefix to bind WireGuard (e.g., 2001:db8::1/64).";
      };
      serverPort = mkOption {
        type = types.port;
        description = "Port for WireGuard.";
      };
      clientAddress = mkOption {
        type = types.str;
        description = "Peer IPv6 address/prefix (e.g., 2001:db8::2/128).";
      };
      clientSubnet = mkOption {
        type = types.str;
        description = "Peer IPv6 subnet (e.g., 2001:db8::/64).";
      };
      serverPrivateKeyFile = mkOption {
        type = types.path;
        description = "Path to server private key file.";
      };
      clientPublicKeyFile = mkOption {
        type = types.path;
        description = "Path to client public key file.";
      };
    };
  });

  interfaces = config.wireguard.interfaces;

  extract = attr: map (x: x.${attr}) interfaces;

  assertUnique = name: values: {
    assertion = values == lib.unique values;
    message =
      "Duplicate values found for '${name}': ${builtins.toString values}";
  };

  fileAssertions = lib.flatten (map (cfg: [
    {
      assertion = cfg.serverPrivateKeyFile != null;
      message = "serverPrivateKeyFile must be provided for interface ${cfg.interface}";
    }
    {
      assertion = cfg.clientPublicKeyFile != null;
      message = "clientPublicKeyFile must be provided for interface ${cfg.interface}";
    }
  ]) interfaces);

  uniquenessAssertions = [
    (assertUnique "interface" (extract "interface"))
    (assertUnique "serverAddress" (extract "serverAddress"))
    (assertUnique "serverPort" (extract "serverPort"))
    (assertUnique "clientAddress" (extract "clientAddress"))
    (assertUnique "clientSubnet" (extract "clientSubnet"))
  ];

in {
  options.wireguard.interfaces = mkOption {
    type = wgConfigType;
    default = [];
    description = "List of WireGuard interface configurations.";
  };

  config = {
    assertions = lib.mkAfter (fileAssertions ++ uniquenessAssertions);

    systemd.network.enable = true;

    systemd.network.netdevs = lib.mkMerge (map (cfg: {
      "${cfg.interface}" = {
        netdevConfig = {
          Kind = "wireguard";
          MTUBytes = "1412";
          Name = cfg.interface;
        };
        wireguardConfig = {
          PrivateKeyFile = cfg.serverPrivateKeyFile;
          ListenPort = cfg.serverPort;
        };
        wireguardPeers = [{
          PublicKeyFile = cfg.clientPublicKeyFile;
          AllowedIPs = [ cfg.clientAddress cfg.clientSubnet ];
        }];
      };
    }) interfaces);

    systemd.network.networks = lib.mkMerge (map (cfg: {
      "${cfg.interface}" = {
        matchConfig = { Name = cfg.interface; };
        networkConfig = { IPv6Forwarding = "yes"; };

        address = [ cfg.serverAddress ];

        routes = [
          {
            Destination = cfg.clientSubnet;
            Scope = "link";
          }
        ];
      };
    }) interfaces);

    # Automatically open firewall ports for WireGuard
    networking.firewall.allowedUDPPorts = map (cfg: cfg.serverPort) interfaces;
  };
}
initial commit 2025-08-17 20:37:46 +05:30			`{ config, lib, pkgs, ... }:`

			`let`
			`inherit (lib) mkOption types;`

			`wgConfigType = types.listOf (types.submodule {`
			`options = {`
			`interface = mkOption {`
			`type = types.str;`
			`description = "WireGuard interface name.";`
			`};`
			`serverAddress = mkOption {`
			`type = types.str;`
			`description =`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`"IPv6 address/prefix to bind WireGuard (e.g., 2001:db8::1/64).";`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`serverPort = mkOption {`
			`type = types.port;`
			`description = "Port for WireGuard.";`
			`};`
			`clientAddress = mkOption {`
			`type = types.str;`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`description = "Peer IPv6 address/prefix (e.g., 2001:db8::2/128).";`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`clientSubnet = mkOption {`
			`type = types.str;`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`description = "Peer IPv6 subnet (e.g., 2001:db8::/64).";`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`serverPrivateKeyFile = mkOption {`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`type = types.path;`
			`description = "Path to server private key file.";`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`clientPublicKeyFile = mkOption {`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`type = types.path;`
			`description = "Path to client public key file.";`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`};`
			`});`

			`interfaces = config.wireguard.interfaces;`

			`extract = attr: map (x: x.${attr}) interfaces;`

			`assertUnique = name: values: {`
			`assertion = values == lib.unique values;`
			`message =`
			`"Duplicate values found for '${name}': ${builtins.toString values}";`
			`};`

update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`fileAssertions = lib.flatten (map (cfg: [`
initial commit 2025-08-17 20:37:46 +05:30			`{`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`assertion = cfg.serverPrivateKeyFile != null;`
			`message = "serverPrivateKeyFile must be provided for interface ${cfg.interface}";`
initial commit 2025-08-17 20:37:46 +05:30			`}`
			`{`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`assertion = cfg.clientPublicKeyFile != null;`
			`message = "clientPublicKeyFile must be provided for interface ${cfg.interface}";`
initial commit 2025-08-17 20:37:46 +05:30			`}`
			`]) interfaces);`

			`uniquenessAssertions = [`
			`(assertUnique "interface" (extract "interface"))`
			`(assertUnique "serverAddress" (extract "serverAddress"))`
			`(assertUnique "serverPort" (extract "serverPort"))`
			`(assertUnique "clientAddress" (extract "clientAddress"))`
			`(assertUnique "clientSubnet" (extract "clientSubnet"))`
			`];`

			`in {`
			`options.wireguard.interfaces = mkOption {`
			`type = wgConfigType;`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`default = [];`
initial commit 2025-08-17 20:37:46 +05:30			`description = "List of WireGuard interface configurations.";`
			`};`

			`config = {`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`assertions = lib.mkAfter (fileAssertions ++ uniquenessAssertions);`
initial commit 2025-08-17 20:37:46 +05:30
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`systemd.network.enable = true;`
initial commit 2025-08-17 20:37:46 +05:30
			`systemd.network.netdevs = lib.mkMerge (map (cfg: {`
			`"${cfg.interface}" = {`
			`netdevConfig = {`
			`Kind = "wireguard";`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`MTUBytes = "1412";`
initial commit 2025-08-17 20:37:46 +05:30			`Name = cfg.interface;`
			`};`
			`wireguardConfig = {`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`PrivateKeyFile = cfg.serverPrivateKeyFile;`
initial commit 2025-08-17 20:37:46 +05:30			`ListenPort = cfg.serverPort;`
			`};`
			`wireguardPeers = [{`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`PublicKeyFile = cfg.clientPublicKeyFile;`
initial commit 2025-08-17 20:37:46 +05:30			`AllowedIPs = [ cfg.clientAddress cfg.clientSubnet ];`
			`}];`
			`};`
			`}) interfaces);`

			`systemd.network.networks = lib.mkMerge (map (cfg: {`
			`"${cfg.interface}" = {`
			`matchConfig = { Name = cfg.interface; };`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30			`networkConfig = { IPv6Forwarding = "yes"; };`

initial commit 2025-08-17 20:37:46 +05:30			`address = [ cfg.serverAddress ];`

			`routes = [`
			`{`
			`Destination = cfg.clientSubnet;`
			`Scope = "link";`
			`}`
			`];`
			`};`
			`}) interfaces);`
update overall module structure, remove host-specific config files - update flake.nix to reflect new structure - update modules/default.nix imports - update modules/network.nix and wireguard.nix - remove config/configuration.nix and hardware-configuration.nix - remove modules/access.nix from this module's scope 2025-09-30 21:10:33 +05:30
			`# Automatically open firewall ports for WireGuard`
			`networking.firewall.allowedUDPPorts = map (cfg: cfg.serverPort) interfaces;`
initial commit 2025-08-17 20:37:46 +05:30			`};`
			`}`