initial commit

2025-08-17 20:37:46 +05:30
commit f0f0229345
9 changed files with 344 additions and 0 deletions
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -0,0 +1,120 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkOption types;
+
+  wgConfigType = types.listOf (types.submodule {
+    options = {
+      interface = mkOption {
+        type = types.str;
+        description = "WireGuard interface name.";
+      };
+      serverAddress = mkOption {
+        type = types.str;
+        description =
+          "IPv6 address with CIDR prefix to bind WireGuard (e.g., 2001:db8::1/64).";
+      };
+      serverPort = mkOption {
+        type = types.port;
+        description = "Port for WireGuard.";
+      };
+      clientAddress = mkOption {
+        type = types.str;
+        description = "Peer IPv6 address with CIDR (e.g., 2001:db8::2/128).";
+      };
+      clientSubnet = mkOption {
+        type = types.str;
+        description = "Peer subnet IPv6 CIDR (e.g., 2001:db8::/64).";
+      };
+      serverPrivateKeyFile = mkOption {
+        type = types.str;
+        description = "Name of the sops secret containing server private key.";
+      };
+      clientPublicKeyFile = mkOption {
+        type = types.str;
+        description = "Name of the sops secret containing client public key.";
+      };
+    };
+  });
+
+  interfaces = config.wireguard.interfaces;
+
+  extract = attr: map (x: x.${attr}) interfaces;
+
+  assertUnique = name: values: {
+    assertion = values == lib.unique values;
+    message =
+      "Duplicate values found for '${name}': ${builtins.toString values}";
+  };
+
+  secretAssertions = lib.flatten (map (cfg: [
+    {
+      assertion = builtins.hasAttr cfg.serverPrivateKeyFile config.sops.secrets;
+      message = "Missing sops secret: ${cfg.serverPrivateKeyFile}";
+    }
+    {
+      assertion = builtins.hasAttr cfg.clientPublicKeyFile config.sops.secrets;
+      message = "Missing sops secret: ${cfg.clientPublicKeyFile}";
+    }
+  ]) interfaces);
+
+  uniquenessAssertions = [
+    (assertUnique "interface" (extract "interface"))
+    (assertUnique "serverAddress" (extract "serverAddress"))
+    (assertUnique "serverPort" (extract "serverPort"))
+    (assertUnique "clientAddress" (extract "clientAddress"))
+    (assertUnique "clientSubnet" (extract "clientSubnet"))
+  ];
+
+in {
+  options.wireguard.interfaces = mkOption {
+    type = wgConfigType;
+    description = "List of WireGuard interface configurations.";
+  };
+
+  config = {
+    sops.secrets = lib.mkMerge (map (cfg: {
+      "${cfg.serverPrivateKeyFile}" = { };
+      "${cfg.clientPublicKeyFile}" = { };
+    }) interfaces);
+
+    assertions = lib.mkAfter (secretAssertions ++ uniquenessAssertions);
+
+    systemd.network.enable = true;
+
+    systemd.network.netdevs = lib.mkMerge (map (cfg: {
+      "${cfg.interface}" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = cfg.interface;
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets.${cfg.serverPrivateKeyFile}.path;
+          ListenPort = cfg.serverPort;
+        };
+        wireguardPeers = [{
+          PublicKeyFile = config.sops.secrets.${cfg.clientPublicKeyFile}.path;
+          AllowedIPs = [ cfg.clientAddress cfg.clientSubnet ];
+        }];
+      };
+    }) interfaces);
+
+    systemd.network.networks = lib.mkMerge (map (cfg: {
+      "${cfg.interface}" = {
+        matchConfig = { Name = cfg.interface; };
+        address = [ cfg.serverAddress ];
+
+        routes = [
+          {
+            Destination = cfg.clientAddress;
+            Scope = "link";
+          }
+          {
+            Destination = cfg.clientSubnet;
+            Scope = "link";
+          }
+        ];
+      };
+    }) interfaces);
+  };
+}