nixos-config/hosts/rackserv/profiles/wireguard-server.nix

{
  config,
  lib,
  vars,
  ...
}: let
  peers = vars.hosts.rackserv.wireguardPeers;
in {
  networking.firewall = let
    externalIp = "172.245.52.19";
    b = builtins;
    isIpv4 = ip: b.match "([0-9]{1,3}\.){3}[0-9]{1,3}" ip != null;
    forPortIps = f:
      lib.concatStrings (
        b.concatMap (
          peer:
            lib.cartesianProduct {
              IP = peer.IPs;
              port = peer.OpenPorts;
            }
            |> b.filter (x: isIpv4 x.IP)
            |> map f
        )
        peers
      );
    getPortsWithProtocol = protocol:
      b.concatMap (peer:
        peer.OpenPorts
        |> b.filter (portInfo: portInfo.protocol == protocol)
        |> map (portInfo: portInfo.port))
      peers;
  in {
    allowedTCPPorts = getPortsWithProtocol "tcp";
    allowedUDPPorts = getPortsWithProtocol "udp";
    extraCommands = forPortIps ({
      IP,
      port,
    }: ''
      iptables -t nat -A PREROUTING -p ${port.protocol} -d ${externalIp} --dport ${toString port.port} -j DNAT --to-destination ${IP}
      iptables -t nat -A POSTROUTING -p ${port.protocol} -d ${IP} --dport ${toString port.port} -j SNAT --to-source ${externalIp}
    '');
    extraStopCommands = forPortIps ({
      IP,
      port,
    }: ''
      iptables -t nat -D PREROUTING -p ${port.protocol} -d ${externalIp} --dport ${toString port.port} -j DNAT --to-destination ${IP} || true
      iptables -t nat -D POSTROUTING -p ${port.protocol} -d ${IP} --dport ${toString port.port} -j SNAT --to-source ${externalIp} || true
    '');

    interfaces.wg0 = {
      allowedUDPPorts = [53];
      allowedTCPPorts = [53];
    };
  };

  systemd.network.netdevs = {
    "50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
        MTUBytes = "1420";
      };
      wireguardConfig = {
        ListenPort = 51820;
        PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path;
        RouteTable = "main";
      };
      wireguardPeers =
        map (peer: {
          inherit (peer) PublicKey;
          AllowedIPs = peer.IPs;
        })
        peers;
    };
  };

  systemd.network.networks.wg0 = {
    matchConfig.Name = "wg0";
    address = ["10.0.0.1/10" "fd12:1e51:ca23::1/64"];
    networkConfig = {
      IPMasquerade = "ipv4";
      IPv4Forwarding = true;
    };
  };

  services.dnsmasq = {
    enable = true;
    resolveLocalQueries = false;
    settings = {
      server = ["1.1.1.1" "8.8.8.8"];
      interface = ["wg0"];
      bind-interfaces = true;
    };
  };
}