hosts/aubergine/wireguard.nix

   1 { pkgs, hostName, ... }:
   2 let
   3   peers = import ../../nixos/profiles/wireguard/wg-intra/peers.nix;
   4   network = import ./networking/names-and-numbers.nix;
   5 in
   6 {
   7   systemd.services."wireguard-wg-intra".serviceConfig.LoadCredentialEncrypted = [
   8     "privateKey:${./wireguard/wg-intra/privateKey.cred}"
   9   ];
  10   networking.wireguard.wg-intra.peers = {
  11     mermet.enable = true;
  12     losurdo.enable = true;
  13     oignon.enable = true;
  14     patate.enable = true;
  15   };
  16   # FIXME: this is enough to connect to the LTE router,
  17   # but not enough to connect the wg-intra hosts behind the LTE router.
  18   systemd.services.fix-wireguard-behind-lte = {
  19     after = [ "NetworkManager-wait-online.service" ];
  20     requires = [ "NetworkManager-wait-online.service" ];
  21     wantedBy = [ "network-online.target" ];
  22     #startAt = "*:0/5"; # every 5 min
  23     path = with pkgs; [
  24       iproute2
  25       curl # gnused socat
  26     ];
  27     unitConfig = {
  28       StartLimitIntervalSec = 0;
  29     };
  30     serviceConfig = {
  31       Type = "simple";
  32       User = "root";
  33       IPAddressAllow = [ peers.mermet.ipv4 ];
  34       RestrictAddressFamilies = [
  35         "AF_INET"
  36         "AF_INET6"
  37         "AF_NETLINK"
  38       ];
  39       ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
  40         set -ux
  41         while sleep 300; do
  42           # FIXME: lift mermet's restriction of only one connection at a time
  43           #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
  44           externalIP=$(curl -s4L https://icanhazip.com)
  45           test -z "''${externalIP-}" ||
  46           ip addr replace "$externalIP"/32 dev ${network.lteIface}
  47         done
  48       '';
  49       Restart = "on-failure";
  50       RestartSec = "30s";
  51     };
  52   };
  53 }