{ self, nixpkgs, molecules, ... }: let public-keys = { capsaicin = "Jn0yQV0qdi1oPdiMSmQSPk4IYbfR2THuiY5pTl7cLgs="; menthol = "6cDCwXBSC0bpEtpRVtzAFrt+a4BYd2iPjCmQb4xpZnU="; glucose = "V6oihsGbdxSWpq63jCZbKNfQ9xrMqFTxDDRHh/lQkSc="; fructose = "mx/TUng1JCNgeUsBKq9mYS2wjOYyL/dACmRYCHbgGVg="; aspartame = "hd/sxxRJ8vw9yyzN3/WJZN+vYrQCHDWNvd6QqqVobRU="; }; ip = i: "10.24.1.${toString i}"; subnet = "${ip 0}/24"; ips = builtins.mapAttrs (nixpkgs.lib.const ip) molecules; ips' = builtins.mapAttrs (name: ip: "${ip}/32") ips; port-for = builtins.mapAttrs ( machine: {config, ...}: toString config.networking.wireguard.interfaces.wg0.listenPort ) self.nixosConfigurations; in { extras = { wireguard-ips = ips; }; universal.modules = [ ( {config, ...}: { networking = { # i sure hope it is nat = { enable = true; externalInterface = "eth0"; internalInterfaces = ["wg0"]; }; firewall.allowedUDPPorts = [config.networking.wireguard.interfaces.wg0.listenPort]; extraHosts = builtins.concatStringsSep "\n" ( nixpkgs.lib.mapAttrsToList (name: ip: "${ip} ${name}.wg") ips ); wireguard.interfaces.wg0 = { ips = ["${ips.${config.networking.hostName}}/24"]; listenPort = 46656; privateKeyFile = config.sops.secrets.wireguard-private-key.path; }; }; } ) ]; glucose.modules = [ ( {pkgs, ...}: { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.wireguard.interfaces.wg0 = { postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; peers = [ { publicKey = public-keys.capsaicin; allowedIPs = [ips'.capsaicin]; } { publicKey = public-keys.fructose; allowedIPs = [ips'.fructose]; endpoint = "10.12.96.9:${port-for.fructose}"; persistentKeepalive = 25; } { publicKey = public-keys.aspartame; allowedIPs = [subnet]; endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; persistentKeepalive = 25; } ]; }; } ) ]; fructose.modules = [ ( {pkgs, ...}: { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.wireguard.interfaces.wg0 = { postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; peers = [ { publicKey = public-keys.capsaicin; allowedIPs = [ips'.capsaicin]; } { publicKey = public-keys.glucose; allowedIPs = [ips'.glucose]; endpoint = "10.12.96.4:${port-for.glucose}"; persistentKeepalive = 25; } { publicKey = public-keys.aspartame; allowedIPs = [subnet]; endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; persistentKeepalive = 25; } ]; }; } ) ]; aspartame.modules = [ ( {pkgs, ...}: { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.wireguard.interfaces.wg0 = { postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE ''; peers = [ { publicKey = public-keys.capsaicin; allowedIPs = [ips'.capsaicin]; } { publicKey = public-keys.glucose; allowedIPs = [ips'.glucose]; } { publicKey = public-keys.fructose; allowedIPs = [ips'.fructose]; } { publicKey = public-keys.menthol; allowedIPs = [ips'.menthol]; } ]; }; } ) ]; capsaicin.modules = [ { networking.wireguard.interfaces.wg0.peers = [ { publicKey = public-keys.aspartame; allowedIPs = [subnet]; endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; persistentKeepalive = 25; } { publicKey = public-keys.glucose; allowedIPs = [ips'.glucose]; endpoint = "10.12.96.4:${port-for.glucose}"; persistentKeepalive = 25; } { publicKey = public-keys.fructose; allowedIPs = [ips'.fructose]; endpoint = "10.12.96.9:${port-for.fructose}"; persistentKeepalive = 25; } ]; } ]; menthol.modules = [ { networking.wireguard.interfaces.wg0.peers = [ { publicKey = public-keys.aspartame; allowedIPs = [subnet]; endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; persistentKeepalive = 25; } ]; } ]; }