51 lines
1,000 B
Nix
51 lines
1,000 B
Nix
|
{
|
||
|
|
lib,
|
||
|
|
config,
|
||
|
|
pkgs,
|
||
|
|
...
|
||
|
|
}:
|
||
|
|
with lib;
|
||
|
|
with lib.custom; let
|
||
|
|
cfg = config.services.wg-container;
|
||
|
|
in {
|
||
|
|
options.services.wg-container = with types; {
|
||
|
|
enable = mkBoolOpt false "Enable Wireguard Container";
|
||
|
|
};
|
||
|
|
config = mkIf cfg.enable {
|
||
|
|
sops = {
|
||
|
|
defaultSopsFile = ../../../.sops.yaml;
|
||
|
|
gnupg.home = "/var/lib/sops";
|
||
|
|
gnupg.sshKeyPaths = [];
|
||
|
|
|
||
|
|
secrets = {
|
||
|
|
"vpn_config_file" = {
|
||
|
|
sopsFile = ../../../../secrets/vpn-config.yaml;
|
||
|
|
owner = "root";
|
||
|
|
group = "root";
|
||
|
|
mode = "0400";
|
||
|
|
neededForUsers = true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
vpnNamespaces.wg = {
|
||
|
|
enable = true;
|
||
|
|
wireguardConfigFile = config.sops.secrets.vpn_config_file.path;
|
||
|
|
accessibleFrom = [
|
||
|
|
"192.168.0.0/24"
|
||
|
|
];
|
||
|
|
portMappings = [
|
||
|
|
{
|
||
|
|
from = 18081;
|
||
|
|
to = 18081;
|
||
|
|
protocol = "both";
|
||
|
|
}
|
||
|
|
{
|
||
|
|
from = 9091;
|
||
|
|
to = 9091;
|
||
|
|
}
|
||
|
|
];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|