cloonar-assistant/modules/cloonar-assistant/default.nix

{ config, options, lib, pkgs, ... }:

with lib;

let
  cfg = config.cloonar-assistant;

  vpn-client-opts =
  { ... }:
  {

    options = {

      publicKey = mkOption {
        example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
        type = types.singleLineStr;
        description = "The base64 public key of the peer.";
      };

      presharedKey = mkOption {
        default = null;
        example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I=";
        type = with types; nullOr str;
        description = ''
          Base64 preshared key generated by {command}`wg genpsk`.
          Optional, and may be omitted. This option adds an additional layer of
          symmetric-key cryptography to be mixed into the already existing
          public-key cryptography, for post-quantum resistance.

          Warning: Consider using presharedKeyFile instead if you do not
          want to store the key in the world-readable Nix store.
        '';
      };

      presharedKeyFile = mkOption {
        default = null;
        example = "/private/wireguard_psk";
        type = with types; nullOr str;
        description = ''
          File pointing to preshared key as generated by {command}`wg genpsk`.
          Optional, and may be omitted. This option adds an additional layer of
          symmetric-key cryptography to be mixed into the already existing
          public-key cryptography, for post-quantum resistance.
        '';
      };

      allowedIPs = mkOption {
        example = [
          "10.192.122.3/32"
          "10.192.124.1/24"
        ];
        type = with types; listOf str;
        description = ''
          List of IP (v4 or v6) addresses with CIDR masks from
          which this peer is allowed to send incoming traffic and to which
          outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may
          be specified for matching all IPv4 addresses, and ::/0 may be specified
          for matching all IPv6 addresses.'';
      };
    };
  };
  
in {
  options.cloonar-assistant = {
    setup = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Enable access from Wan to Setup";
    };
    networkPrefix = lib.mkOption {
      type = lib.types.str;
      example = "10.42";
      description = "First two octets of the network";
    };
    domain = lib.mkOption {
      type = lib.types.str;
      example = "example.smart.cloonar.com";
      description = "domain of the network";
    };
    updns = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Enable updns";
      };
      key = lib.mkOption {
        type = with types; nullOr str;
        example = "example";
        description = "key for updns";
      };
      secretFile = lib.mkOption {
        type = with types; nullOr str;
        example = "/private/updns_secret";
        description = "File pointing to secret as generated by {command}`wg genpsk`.";
      };
    };
    vpn = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Enable VPN";
      };
      privateKeyFile = lib.mkOption {
        type = with types; nullOr str;
        example = "/private/wireguard_private_key";
        description = "File pointing to private key as generated by {command}`wg genkey`.";
      };
      clients = mkOption {
        default = [ ];
        description = "VPN Clients";
        type = with types; listOf (submodule vpn-client-opts);
      };
    };
    multiroom-audio = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Enable multiroom audio";
      };
    };
    firewall = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = "Enable firewall";
      };
      ipv4 = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = "Enable firewall";
      };
      ipv6 = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Enable firewall";
      };
      interfaces = {
        wan = lib.mkOption {
          type = lib.types.str;
          example = "enp2s0";
          description = "Network interface for WAN";
        };
        internal = lib.mkOption {
          type = with types; nullOr str;
          example = "enp3s0";
          description = "Internal network interface";
        };
      };
      custom-rules = {
        input = lib.mkOption {
          type = with types; nullOr lines;
          example = ''
            iifname "lan" udp dport 22 counter accept comment "Wireguard traffic"
            iifname "lan" udp dport 80 counter accept comment "Wireguard traffic"
          '';
          description = "Custom iptables rules for INPUT chain";
        };
        forward = lib.mkOption {
          type = with types; nullOr lines;
          example = ''
            iifname "lan" oifname "server" tcp dport { 22 } counter accept
            iifname "lan" oifname "server" tcp dport { 80 } counter accept
          '';
          description = "Custom iptables rules for FORWARD chain";
        };
        prerouting = lib.mkOption {
          type = with types; nullOr lines;
          example = ''
            iifname "server" ip daddr 10.0.96.255 udp dport { 9 } dnat to 10.0.96.255
          '';
          description = "Custom iptables rules for nat chain";
        };
        postrouting = lib.mkOption {
          type = with types; nullOr lines;
          example = ''
            oifname { "wan" } masquerade
          '';
          description = "Custom iptables rules for nat chain";
        };
      };
    };
  };
  imports = [
    # Include the results of the hardware scan.
    ./sops.nix
    ./networking
    ./updns
    ./home-assistant
    # ./multiroom-audio
  ];
}