adyya-flake/networking/vpn.mod.nix

{
  self,
  nixpkgs,
  molecules,
  ...
}:
let
  public-keys = {
    capsaicin = "Jn0yQV0qdi1oPdiMSmQSPk4IYbfR2THuiY5pTl7cLgs=";
    menthol = "6cDCwXBSC0bpEtpRVtzAFrt+a4BYd2iPjCmQb4xpZnU=";
    glucose = "V6oihsGbdxSWpq63jCZbKNfQ9xrMqFTxDDRHh/lQkSc=";
    fructose = "mx/TUng1JCNgeUsBKq9mYS2wjOYyL/dACmRYCHbgGVg=";
    aspartame = "hd/sxxRJ8vw9yyzN3/WJZN+vYrQCHDWNvd6QqqVobRU=";
  };

  ip = i: "10.24.1.${toString i}";
  subnet = "${ip 0}/24";

  ips = builtins.mapAttrs (nixpkgs.lib.const ip) molecules;
  ips' = builtins.mapAttrs (name: ip: "${ip}/32") ips;

  port-for = builtins.mapAttrs (
    machine: { config, ... }: toString config.networking.wireguard.interfaces.wg0.listenPort
  ) self.nixosConfigurations;
in
{
  extras = {
    wireguard-ips = ips;
  };

  universal.modules = [
    (
      { config, ... }:
      {
        networking = {
          # i sure hope it is
          nat = {
            enable = true;
            externalInterface = "eth0";
            internalInterfaces = [ "wg0" ];
          };
          firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ];
          extraHosts = builtins.concatStringsSep "\n" (
            nixpkgs.lib.mapAttrsToList (name: ip: "${ip} ${name}.wg") ips
          );
          wireguard.interfaces.wg0 = {
            ips = [ "${ips.${config.networking.hostName}}/24" ];
            listenPort = 46656;
            privateKeyFile = config.sops.secrets.wireguard-private-key.path;
          };
        };
      }
    )
  ];

  glucose.modules = [
    (
      { pkgs, ... }:
      {
        boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
        networking.wireguard.interfaces.wg0 = {
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';

          peers = [
            {
              publicKey = public-keys.capsaicin;
              allowedIPs = [ ips'.capsaicin ];
            }
            {
              publicKey = public-keys.fructose;
              allowedIPs = [ ips'.fructose ];
              endpoint = "10.12.96.9:${port-for.fructose}";
              persistentKeepalive = 25;
            }
            {
              publicKey = public-keys.aspartame;
              allowedIPs = [ subnet ];
              endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}";
              persistentKeepalive = 25;
            }
          ];
        };
      }
    )
  ];

  fructose.modules = [
    (
      { pkgs, ... }:
      {
        boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
        networking.wireguard.interfaces.wg0 = {
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';

          peers = [
            {
              publicKey = public-keys.capsaicin;
              allowedIPs = [ ips'.capsaicin ];
            }
            {
              publicKey = public-keys.glucose;
              allowedIPs = [ ips'.glucose ];
              endpoint = "10.12.96.4:${port-for.glucose}";
              persistentKeepalive = 25;
            }
            {
              publicKey = public-keys.aspartame;
              allowedIPs = [ subnet ];
              endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}";
              persistentKeepalive = 25;
            }
          ];
        };
      }
    )
  ];

  aspartame.modules = [
    (
      { pkgs, ... }:
      {
        boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
        networking.wireguard.interfaces.wg0 = {
          postSetup = ''
            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';
          postShutdown = ''
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE
          '';

          peers = [
            {
              publicKey = public-keys.capsaicin;
              allowedIPs = [ ips'.capsaicin ];
            }
            {
              publicKey = public-keys.glucose;
              allowedIPs = [ ips'.glucose ];
            }
            {
              publicKey = public-keys.fructose;
              allowedIPs = [ ips'.fructose ];
            }
            {
              publicKey = public-keys.menthol;
              allowedIPs = [ ips'.menthol ];
            }
          ];
        };
      }
    )
  ];

  capsaicin.modules = [
    {
      networking.wireguard.interfaces.wg0.peers = [
        {
          publicKey = public-keys.aspartame;
          allowedIPs = [ subnet ];
          endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}";
          persistentKeepalive = 25;
        }
        {
          publicKey = public-keys.glucose;
          allowedIPs = [ ips'.glucose ];
          endpoint = "10.12.96.4:${port-for.glucose}";
          persistentKeepalive = 25;
        }
        {
          publicKey = public-keys.fructose;
          allowedIPs = [ ips'.fructose ];
          endpoint = "10.12.96.9:${port-for.fructose}";
          persistentKeepalive = 25;
        }
      ];
    }
  ];

  menthol.modules = [
    {
      networking.wireguard.interfaces.wg0.peers = [
        {
          publicKey = public-keys.aspartame;
          allowedIPs = [ subnet ];
          endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}";
          persistentKeepalive = 25;
        }
      ];
    }
  ];
}