Fix wireguard config syntax

2025-09-10 19:00:54 +02:00 · 2025-09-10 19:00:54 +02:00 · 9b0c68540e
commit 9b0c68540e
parent d0084adcc9
1 changed files with 41 additions and 37 deletions
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -131,46 +131,50 @@ in
      '';
    };
-    # Server configuration
+    # WireGuard interface configuration (combined server and client)
-    networking.wg-quick.interfaces = mkIf (cfg.mode == "server") {
+    networking.wg-quick.interfaces = {
-      ${cfg.interface} = {
+      ${cfg.interface} = mkMerge [
-        address = [ cfg.serverConfig.address ];
+        # Common configuration
-        listenPort = cfg.listenPort;
+        {
-        privateKeyFile = cfg.privateKeyFile;
+          privateKeyFile = cfg.privateKeyFile;
        }
-        # Enable IP forwarding and NAT for server
+        # Server-specific configuration
-        preUp = ''
+        (mkIf (cfg.mode == "server") {
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
+          address = [ cfg.serverConfig.address ];
-          ${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
+          listenPort = cfg.listenPort;
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
+          
-        '';
+          # Enable IP forwarding and NAT for server
-        
+          preUp = ''
-        postDown = ''
+            ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -A FORWARD -o ${cfg.interface} -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
+          '';
-        '';
+          
          postDown = ''
            ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.interface} -j ACCEPT
            ${pkgs.iptables}/bin/iptables -D FORWARD -o ${cfg.interface} -j ACCEPT
            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.2.2.0/24 -o eth0 -j MASQUERADE
          '';
-        peers = map (peer: {
+          peers = map (peer: {
-          publicKey = peer.publicKey;
+            publicKey = peer.publicKey;
-          allowedIPs = peer.allowedIPs;
+            allowedIPs = peer.allowedIPs;
-        }) cfg.serverConfig.peers;
+          }) cfg.serverConfig.peers;
-      };
+        })
    };
    # Client configuration
    networking.wg-quick.interfaces = mkIf (cfg.mode == "client") {
      ${cfg.interface} = {
        address = [ cfg.clientConfig.address ];
        privateKeyFile = cfg.privateKeyFile;
-        peers = [{
+        # Client-specific configuration
-          publicKey = cfg.clientConfig.serverPublicKey;
+        (mkIf (cfg.mode == "client") {
-          allowedIPs = cfg.clientConfig.allowedIPs;
+          address = [ cfg.clientConfig.address ];
-          endpoint = cfg.clientConfig.serverEndpoint;
+          
-          persistentKeepalive = 25;
+          peers = [{
-        }];
+            publicKey = cfg.clientConfig.serverPublicKey;
-      };
+            allowedIPs = cfg.clientConfig.allowedIPs;
            endpoint = cfg.clientConfig.serverEndpoint;
            persistentKeepalive = 25;
          }];
        })
      ];
    };
    # Firewall configuration