1 files changed, 72 insertions, 0 deletions

diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix
new file mode 100644
index 0000000..5703f3d
--- /dev/null
+++ b/Biz/Dev/Wireguard.nix
@@ -0,0 +1,72 @@
+{ lib, config, pkgs, ... }:
+
+/*
+Wireguard VPN server
+
+References:
+
+- https://nixos.wiki/wiki/WireGuard
+- https://wireguard.how/client/ios/
+*/
+
+let
+  ports = import ../Cloud/Ports.nix;
+  ips = "10.100.0.1/24";
+
+  # a micro-library for creating iptables rules
+  iptables = rec {
+    bin = "${pkgs.iptables/bin/iptables}";
+    append = {source}: lib.concatSep " " [
+      bin
+      "--table" "nat"
+      "--append" "POSTROUTING"
+      "--source" source
+      "--out-interface" "eth0"
+      "--jump" "MASQUERADE"
+    ];
+    delete = {source}: lib.concatSep " " [
+      bin
+      "--table" "nat"
+      "--delete" "POSTROUTING"
+      "--source" source
+      "--out-interface" "eth0"
+      "--jump" "MASQUERADE"
+    ];
+
+  };
+in {
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ ports.wireguard ];
+
+  networking.wireguard.enable = true;
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ ips ];
+      allowedIPsAsRoutes = true;
+      listenPort = ports.wireguard;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+      '';
+
+      privateKeyFile = "/var/wireguard/private";
+
+      peers = [
+        #{ # helium
+        #  publicKey = "TODO";
+        #  allowedIPs = [ "10.100.0.2/32" ];
+        #}
+        { # ben's iPhone
+          publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc=";
+          allowedIPs = [ "10.100.0.3/32" ];
+        }
+      ];
+    };
+  };
+}