1 { pkgs, lib, config, hostName, credentials, ... }:
4 peers = import wg-intra/peers.nix;
5 wg = config.networking.wireguard.interfaces.${iface};
8 # Each peer select the other peers allowed to connect to it
9 options.networking.wireguard.${iface}.peers =
10 lib.genAttrs (lib.attrNames peers) (peerName: {
11 enable = lib.mkEnableOption "this peer";
14 systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
15 networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
16 (removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
19 lib.mapAttrsToList (peerName: peer:
23 peer.persistentKeepalive # Useful if this peer is behind a NAT
24 or peers.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
29 (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
31 privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
33 # Set the MTU to a minimum
34 # (IPv4 requires at least 68 but it's 1280 for IPv6).
35 # This prevents connections to stall on huge packets,
36 # or delaying their initializing due to TCP PMTU probing.
38 ip link set dev ${iface} mtu 1280
41 networking.hosts = lib.mkMerge [
42 (lib.mapAttrs' (hostName: host:
43 lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) peers)
45 "${peers.losurdo.ipv4}" = [
46 "nix-extracache.losurdo.wg"
47 "nix-localcache.losurdo.wg"
52 networking.firewall.extraCommands = lib.optionalString (wg.listenPort != null) ''
53 ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
56 networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
57 # Allow initiating connection to and from other peers
58 add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
59 add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
60 add rule inet filter lan2fw udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
61 add rule inet filter fw2lan udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
63 # Hook ${iface} into the input chain
64 add chain inet filter intra2fw
65 add rule inet filter input iifname ${iface} jump intra2fw
66 add rule inet filter input iifname ${iface} log level warn prefix "intra2fw: " counter drop
68 # Hook ${iface} into the output chain
69 add chain inet filter fw2intra
70 add rule inet filter output oifname ${iface} jump fw2intra
71 add rule inet filter output oifname ${iface} log level warn prefix "fw2intra: " counter drop
73 # Allow connections to peers acting as an endpointsUpdater
74 ${lib.concatStringsSep "\n"
75 (lib.mapAttrsToList (peerName: peer: ''
76 add rule inet filter fw2intra tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} \
77 counter accept comment "Wireguard ${iface} to endpointUpdater ${peerName}"
79 (lib.filterAttrs (peerName: peer:
80 config.networking.wireguard.${iface}.peers.${peerName}.enable &&
81 (peers.${peerName}.peer.endpointsUpdater.enable or false))
84 ${lib.optionalString (peers.${hostName}.peer.endpointsUpdater.enable or false) ''
85 # Allow connections from peers when acting as an endpointsUpdater
86 add rule inet filter intra2fw tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} \
87 counter accept comment "Wireguard ${iface} from peers to endpointUpdater"
92 services.fail2ban.ignoreIP = lib.concatMap
93 (host: host.peer.allowedIPs)
94 (lib.attrValues peers);
95 networking.networkmanager.unmanaged = ["wg-intra"];