Self-host your own digital island
ryan.freumh.org
1{ pkgs, config, lib, ... }:
2
3let cfg = config.wireguard; in
4{
5 networking = lib.mkIf (cfg.enable && cfg.server) {
6 nat = {
7 enable = true;
8 externalInterface = "enp1s0";
9 internalInterfaces = [ "wg0" ];
10 };
11 firewall = {
12 extraCommands = ''
13 iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT
14 '';
15 trustedInterfaces = [ "wg0" ];
16 };
17
18 wireguard.interfaces.wg0 = {
19 # Route from wireguard to public internet, allowing server to act as VPN
20 postSetup = ''
21 ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
22 '';
23
24 postShutdown = ''
25 ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
26 '';
27
28 # add clients
29 peers = with lib.attrsets;
30 mapAttrsToList (
31 hostName: values: {
32 allowedIPs = [ "${values.ip}/32" ];
33 publicKey = values.publicKey;
34 persistentKeepalive = values.persistentKeepalive;
35 }
36 ) cfg.hosts;
37 };
38 };
39}