{ config, pkgs, lib, cfg, ... }: let buildInputs = [pkgs.wgautomesh]; prefix = "lyn"; # decrypt gossip secret # change this to comply with you secret management gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path; # function to make a peerlist suitable for wgautomesh buildPeerlist = version: hosts: let #filter out hosts that have wg.enabled set to false wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts; in lib.mapAttrsToList (name: host: { interface = if version == "IPv6" then "wg1" else "wg0"; pubkey = host.wg.pubkey; #if there is no public IP, make endpoint null so wgautomesh knows it unknown. Else format it to a SocketAddr endpoint = host.${version}.public; port = if version == "IPv6" then host.wg.port_v6 else host.wg.port_v4; address = host.${version}.internal; }) wgEnabledHosts; # helper vars to prettify meshnetwork = config.${prefix}.network; currentHost = meshnetwork.hosts.${config.networking.hostName}; in { opt = { enable_upnp_portforward = lib.mkOption { type = lib.types.bool; description = "Whether to allow the wireguard port in the gateway using UPnP IGD. Necessary on some firewalls, might spam unnecessary debug messages on environments without IGD gateways."; default = false; }; enable_lan_discovery = lib.mkOption { type = lib.types.bool; description = "Try to discover mesh devices on the same local network."; default = true; }; }; config = rec { networking.firewall = { allowedUDPPorts = [ currentHost.wg.port_v4 currentHost.wg.port_v6 ]; # UPnP broadcast responses # credits: https://github.com/NixOS/nixpkgs/issues/161328 extraPackages = if cfg.enable_upnp_portforward then [pkgs.ipset] else []; extraCommands = if cfg.enable_upnp_portforward then '' if ! ipset --quiet list upnp; then ipset create upnp hash:ip,port timeout 3 fi iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist iptables -A nixos-fw -p udp -m set --match-set upnp dst,dst -j nixos-fw-accept '' else ""; }; networking.wireguard.interfaces.wg0 = { ips = ["${currentHost.IPv4.internal}/24"]; listenPort = currentHost.wg.port_v4; privateKeyFile = "/var/lib/wireguard-keys/private"; mtu = 1280; }; networking.wireguard.interfaces.wg1 = { ips = ["${currentHost.IPv6.internal}/64"]; listenPort = currentHost.wg.port_v6; privateKeyFile = "/var/lib/wireguard-keys/private"; mtu = 1280; }; services.wgautomesh = { enable = true; settings = { interfaces = if cfg.enable_upnp_portforward then [ { name = "wg0"; upnp_forward_ext_port_v4 = config.networking.wireguard.interfaces.wg0.listenPort; } ] else []; peers = buildPeerlist "IPv6" meshnetwork.hosts ++ buildPeerlist "IPv4" meshnetwork.hosts; lan_discovery = cfg.enable_lan_discovery; upnp_open_ports = cfg.enable_upnp_portforward; }; gossipSecretFile = gossip_secret_path; }; }; }