nixos/profiles/wireguard/wg-intra.nix

   1 { pkgs, lib, config, hostName, credentials, ... }:
   2 let
   3   iface = "wg-intra";
   4   peers = import wg-intra/peers.nix;
   5   wg = config.networking.wireguard.interfaces.${iface};
   6 in
   7 {
   8 # Each peer select the other peers allowed to connect to it
   9 options.networking.wireguard.${iface}.peers =
  10   lib.genAttrs (lib.attrNames peers) (peerName: {
  11     enable = lib.mkEnableOption "this peer";
  12   });
  13 config = {
  14 systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
  15 networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
  16   (removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
  17   {
  18     peers =
  19       lib.mapAttrsToList (peerName: peer:
  20         lib.recursiveUpdate
  21           {
  22             persistentKeepalive =
  23               peer.persistentKeepalive # Useful if this peer is behind a NAT
  24               or peers.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
  25               or null;
  26           }
  27           peer.peer)
  28         (removeAttrs
  29           (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
  30           [hostName]);
  31     privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
  32
  33     # Set the MTU to a minimum
  34     # (IPv4 requires at least 68 but it's 1280 for IPv6).
  35     # This prevents connections to stall on huge packets,
  36     # or delaying their initializing due to TCP PMTU probing.
  37     postSetup = ''
  38       ip link set dev ${iface} mtu 1280
  39     '';
  40   };
  41 networking.hosts = lib.mkMerge [
  42   (lib.mapAttrs' (hostName: host:
  43     lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) peers)
  44   {
  45     "${peers.losurdo.ipv4}" = [
  46       "nix-extracache.losurdo.wg"
  47       "nix-localcache.losurdo.wg"
  48       "sftp.losurdo.wg"
  49     ];
  50   }
  51 ];
  52 networking.firewall.extraCommands = lib.optionalString (wg.listenPort != null) ''
  53   ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
  54 '';
  55
  56 networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
  57   # Allow initiating connection to and from other peers
  58   add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
  59   add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
  60   add rule inet filter lan2fw udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
  61   add rule inet filter fw2lan udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
  62
  63   # Hook ${iface} into the input chain
  64   add chain inet filter intra2fw
  65   add rule inet filter input  iifname ${iface} jump intra2fw
  66   add rule inet filter input  iifname ${iface} log level warn prefix "intra2fw: " counter drop
  67
  68   # Hook ${iface} into the output chain
  69   add chain inet filter fw2intra
  70   add rule inet filter output oifname ${iface} jump fw2intra
  71   add rule inet filter output oifname ${iface} log level warn prefix "fw2intra: " counter drop
  72
  73   # Allow connections to peers acting as an endpointsUpdater
  74   ${lib.concatStringsSep "\n"
  75       (lib.mapAttrsToList (peerName: peer: ''
  76         add rule inet filter fw2intra tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} \
  77         counter accept comment "Wireguard ${iface} to endpointUpdater ${peerName}"
  78         '')
  79         (lib.filterAttrs (peerName: peer:
  80           config.networking.wireguard.${iface}.peers.${peerName}.enable &&
  81           (peers.${peerName}.peer.endpointsUpdater.enable or false))
  82           peers))
  83   }
  84   ${lib.optionalString (peers.${hostName}.peer.endpointsUpdater.enable or false) ''
  85       # Allow connections from peers when acting as an endpointsUpdater
  86       add rule inet filter intra2fw tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} \
  87       counter accept comment "Wireguard ${iface} from peers to endpointUpdater"
  88       ''
  89   }
  90 '';
  91
  92 services.fail2ban.ignoreIP = lib.concatMap
  93   (host: host.peer.allowedIPs)
  94   (lib.attrValues peers);
  95 networking.networkmanager.unmanaged = ["wg-intra"];
  96 };
  97 }