before flake update

2025-12-08 12:04:41 +01:00
parent 5fb0c51777
commit 1655f3096d
4 changed files with 157 additions and 0 deletions
--- a/modules/optionnals/server/wireguard-ui.nix
+++ b/modules/optionnals/server/wireguard-ui.nix
@@ -0,0 +1,97 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  environment.systemPackages = [
+    pkgs.wireguard-tools
+    pkgs.wireguard-ui
+  ];
+
+  users.users.wireguard-ui = {
+    isSystemUser = true;
+    group = "wireguard-ui";
+    home = "/var/lib/wireguard-ui";
+    createHome = true;
+    description = "WireGuard UI service user";
+  };
+
+  users.groups.wireguard-ui = { };
+
+  systemd = {
+    tmpfiles.rules = [
+      "d /etc/wireguard 0750 wireguard-ui wireguard-ui -"
+      "d /var/lib/wireguard-ui 0750 wireguard-ui wireguard-ui -"
+    ];
+
+    services = {
+      wg-quick-wg0 = {
+        description = "WireGuard via wg-quick(8) for wg0";
+        after = [
+          "network-online.target"
+          "wireguard-ui.service"
+        ];
+        wants = [ "network-online.target" ];
+        wantedBy = [
+          "multi-user.target"
+          "sshd.service"
+        ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${pkgs.wireguard-tools}/bin/wg-quick up wg0";
+          ExecStop = "${pkgs.wireguard-tools}/bin/wg-quick down wg0";
+          ExecReload = "${pkgs.bash}/bin/bash -c 'exec ${pkgs.wireguard-tools}/bin/wg syncconf wg0 <(exec ${pkgs.wireguard-tools}/bin/wg-quick strip wg0)'";
+          Environment = [ "WG_ENDPOINT_RESOLUTION_RETRIES=infinity" ];
+        };
+      };
+
+      wireguard-ui = {
+        description = "WireGuard UI";
+        documentation = [ "https://github.com/ngoduykhanh/wireguard-ui" ];
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.wireguard-ui}/bin/wireguard-ui";
+          Restart = "on-failure";
+          WorkingDirectory = "/var/lib/wireguard-ui";
+          StateDirectory = "wireguard-ui";
+          User = "wireguard-ui";
+          Group = "wireguard-ui";
+          ReadWritePaths = [
+            "/var/lib/wireguard-ui"
+            "/etc/wireguard"
+          ];
+
+          Environment = [
+            # "WGUI_ENDPOINT_ADDRESS=${config.custom.wireguard-ui.endpointAddress}"
+            # "WGUI_DNS=${config.custom.wireguard-ui.dns}"
+          ];
+
+          AmbientCapabilities = "CAP_NET_ADMIN";
+        };
+      };
+
+      wg-quick-wg0-reload = {
+        description = "Reload WireGuard config";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.systemd}/bin/systemctl reload wg-quick-wg0.service";
+        };
+      };
+    };
+
+    paths.wg-quick-wg0-reload = {
+      description = "Watch /etc/wireguard/wg0.conf for changes";
+      wantedBy = [ "multi-user.target" ];
+      pathConfig = {
+        PathModified = "/etc/wireguard/wg0.conf";
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+}