networking/wireguard/wg-intra.nix

   1 { pkgs, lib, config, hostName, private, ... }:
   2 let
   3   iface = "wg-intra";
   4   hosts = import wg-intra/hosts.nix;
   5   wg = config.networking.wireguard.interfaces.${iface};
   6 in
   7 {
   8 networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
   9   (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
  10   {
  11     peers =
  12       lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
  13         { persistentKeepalive = hosts.${hostName}.persistentKeepalive or null; }
  14         peer.peer
  15       ) (removeAttrs hosts [hostName]);
  16     privateKeyFile = lib.mkDefault "${private}/${hostName}/wireguard/${iface}/privateKey";
  17   };
  18 networking.hosts = lib.mkMerge [
  19   (lib.mapAttrs' (hostName: host:
  20     lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts)
  21   { "${hosts.losurdo.ipv4}" = [
  22     "nix-extracache.losurdo.wg"
  23     "nix-localcache.losurdo.wg"
  24   ]; }
  25 ];
  26 networking.firewall.extraCommands = ''
  27   ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
  28 '' + lib.optionalString (wg.listenPort != null) ''
  29   ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
  30 '';
  31 services.fail2ban.ignoreIP = lib.concatMap
  32   (host: host.peer.allowedIPs)
  33   (lib.attrValues hosts);
  34 }