~ruther/nixos-config

ref: 6904cf1761334d033556f106c82d79b48e6657f4 nixos-config/nixos/modules/profiles/vpn.nix -rw-r--r-- 1.5 KiB
6904cf17 — Frantisek Bohacek refactor: modularize the configuration 1 year, 1 day ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

{ config, lib, ... }:

{
  options = {
    profiles.vpn = {
      enable = lib.mkEnableOption "vpn";
      lanIp = lib.mkOption {
        type = lib.types.str;
      };

      server = lib.mkOption {
        type = lib.types.str;
        default = "78.46.201.50:51820";
      };

      serverLanIp = lib.mkOption {
        type = lib.types.str;
        default = "192.168.32.0/24";
      };
    };
  };

  config = lib.mkIf config.profiles.vpn.enable {
    networking.firewall = {
      allowedUDPPorts = [ 51820 ];
    };

    networking = {
      nameservers = [
        "1.1.1.1"
        "1.0.0.1"
      ];

      # disable auto resolving
      dhcpcd.extraConfig = "nohook resolv.conf";
      networkmanager.dns = "none";
    };

    networking.resolvconf.extraOptions = [
      "timeout: 2"
    ];

    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ "${config.profiles.vpn.lanIp}/32" ];
        listenPort = 51820;

        generatePrivateKeyFile = true;
        privateKeyFile = "/etc/wireguard/pk.pem";

        peers = [
          {
            publicKey = "ZOVjmgUak67kLhNVgZwyb0bro3Yi4vCJbGArv+35IWQ=";
            endpoint = config.profiles.vpn.server;

            # The ip is not refreshed, as the kernel cannot perform DNS resolution. Use dynamicEndpointRefreshSeconds,
            # in case the ip is refreshed often. If not, sync after refresh should be alright.
            allowedIPs = [ config.profiles.vpn.serverLanIp ];
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
}
Do not follow this link