feat(lab): added wireguard configuration and setup

added note about potentially refactoring the external interface

Author: suasuasuasuasua

configurations/nixos/lab/services/services.nix

@@ -1,4 +1,9 @@
-{ inputs, config, ... }:
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
 let
   inherit (config.networking) hostName;
 in
@@ -59,5 +64,11 @@ in
     };
     vscode-server.enable = true;
     wastebin.enable = true;
+    wireguard = {
+      enable = true;
+      interfaces = import ./wireguard.nix {
+        inherit pkgs;
+      };
+    };
   };
 }

configurations/nixos/lab/services/wireguard.nix

@@ -0,0 +1,54 @@
+{ pkgs, ... }:
+{
+  # "wg0" is the network interface name. You can name the interface arbitrarily.
+  wg0 = {
+    # Determines the IP address and subnet of the server's end of the tunnel interface.
+    ips = [ "10.100.0.1/24" ];
+
+    # The port that WireGuard listens to. Must be accessible by the client.
+    listenPort = 51820;
+
+    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+    # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+    # ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT;
+    postSetup =
+      # bash
+      ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp4s0 -j MASQUERADE
+      '';
+
+    # This undoes the above command
+    # ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT;
+    postShutdown =
+      # bash
+      ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp4s0 -j MASQUERADE
+      '';
+
+    # https://superuser.com/questions/1716478/wireguard-no-access-to-the-internet
+
+    # Path to the private key file.
+    #
+    # Note: The private key can also be included inline via the privateKey option,
+    # but this makes the private key world-readable; thus, using privateKeyFile is
+    # recommended.
+    privateKeyFile = "/var/secrets/wg-privatekey";
+
+    peers = [
+      # List of allowed peers.
+      {
+        # Feel free to give a meaningful name
+        name = "mbp3.local";
+        # Public key of the peer (not a file path).
+        publicKey = "5U5c73rfEZ6uSJuVZQudKX5Ir5dZHSq1rmsiKsgzJmI=";
+        # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+        allowedIPs = [ "10.100.0.2/32" ];
+      }
+      {
+        name = "iphone";
+        publicKey = "maAlHZyL5YGILhqm2hCCqTZepTLt7VoEGyWzQca2gVk=";
+        allowedIPs = [ "10.100.0.3/32" ];
+      }
+    ];
+  };
+}

modules/nixos/services/wireguard.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  serviceName = "wireguard";
+
+  cfg = config.nixos.services.${serviceName};
+in
+{
+  options.nixos.services.${serviceName} = {
+    enable = lib.mkEnableOption ''
+      Userspace Go implementation of WireGuard
+    '';
+    interfaces = lib.mkOption {
+      inherit (options.networking.wireguard.interfaces) type;
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # enable NAT
+    networking = {
+      nat = {
+        enable = true;
+        # TODO: may need to modularize the external interface name
+        # for example, many of the examples had `eth0`
+        externalInterface = "enp4s0";
+        internalInterfaces = [ "wg0" ];
+      };
+      firewall = {
+        allowedUDPPorts = [ 51820 ];
+      };
+    };
+
+    networking.wireguard = {
+      inherit (cfg) interfaces;
+
+      enable = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+  };
+}