hosts/aubergine/wireguard.nix

   1 { pkgs, hostName, ... }:
   2 let
   3   peers = import ../../nixos/profiles/wireguard/wg-intra/peers.nix;
   4   network = import ./networking/names-and-numbers.nix;
   5 in
   6 {
   7   systemd.services."wireguard-wg-intra".serviceConfig.LoadCredentialEncrypted = [
   8     "privateKey:${./wireguard/wg-intra/privateKey.cred}"
   9   ];
  10   networking.wireguard.wg-intra.peers = {
  11     mermet.enable = true;
  12     losurdo.enable = true;
  13     oignon.enable = true;
  14     patate.enable = true;
  15   };
  16   # FIXME: this is enough to connect to the LTE router,
  17   # but not enough to connect the wg-intra hosts behind the LTE router.
  18   systemd.services.fix-wireguard-behind-lte = {
  19     wantedBy = [ "multi-user.target" ];
  20     startAt = "*:0/5"; # every 5 min
  21     path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
  22     unitConfig = { StartLimitIntervalSec = 0; };
  23     serviceConfig = {
  24       Type = "simple";
  25       User = "root";
  26       IPAddressAllow = [ peers.mermet.ipv4 ];
  27       RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
  28       ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
  29         set -eux
  30         # FIXME: lift mermet's restriction of only one connection at a time
  31         #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
  32         externalIP=$(curl -s4L https://icanhazip.com)
  33         test -z "''${externalIP-}" ||
  34         ip addr replace "$externalIP"/32 dev ${network.lteIface}
  35       '';
  36       Restart = "on-failure";
  37       RestartSec = "30s";
  38     };
  39   };
  40 }