Why I love nix
19/07/2025
Whining
Despite the fact that I pretty often whine about nixos, it is still a powerful tool and has an awesome toolset from community. Yet I still find inspiration in declarative way of configuring things.
I've added an additional AmneziaWG server to my VPS in just a couple of config lines.
Config
It is almost vanilla config for wg-quick, yet it is fully sufficient for quick setup. I've only skipped my overlays which forces nixos to use fresher versions of packages. I will leave it here for my future references.
{
pkgs,
config,
...
}:
{
boot.extraModulePackages = with config.boot.kernelPackages; [ amneziawg ];
environment.systemPackages = with pkgs; [
amneziawg-go
amneziawg-tools
];
networking = {
firewall = {
allowedTCPPorts = [
8283
53
];
allowedUDPPorts = [
8283
53
];
};
nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
};
services = {
dnsmasq = {
enable = true;
settings = {
interface = "wg0";
except-interface = "lo";
bind-interfaces = true;
};
};
};
systemd.services.dnsmasq.requires = [
"wg-quick-wg0.service"
];
systemd.services.dnsmasq.after = [
"wg-quick-wg0.service"
];
networking.wg-quick.interfaces = {
wg0 = {
type = "amneziawg";
address = [
"10.0.0.1/24"
];
listenPort = 8283;
privateKeyFile = ...;
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
'';
extraOptions = {
H1 = ...;
H2 = ...;
H3 = ...;
H4 = ...;
Jc = 5;
Jmax = 42;
Jmin = 10;
S1 = 60;
S2 = 90;
};
peers = [
{
# peer0
publicKey = "...";
allowedIPs = [
"10.0.0.2/32"
];
}
];
};
};
}
So long and thanks for the fish.