nixos/profiles/wireguard/wg-intra.nix

   1 {
   2   inputs,
   3   lib,
   4   config,
   5   hostName,
   6   ...
   7 }:
   8 let
   9   wgIface = "wg-intra";
  10   peers = import wg-intra/peers.nix;
  11   wg = config.networking.wireguard.interfaces.${wgIface};
  12 in
  13 {
  14   # Each peer select the other peers allowed to connect to it
  15   options.networking.wireguard.${wgIface}.peers = lib.genAttrs (lib.attrNames peers) (_peerName: {
  16     enable = lib.mkEnableOption "this peer";
  17   });
  18   config = {
  19     #systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted =
  20     #  [ "privateKey:${inputs.self}/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred" ];
  21     networking.wireguard.interfaces.${wgIface} =
  22       lib.recursiveUpdate
  23         (removeAttrs peers.${hostName} [
  24           "ipv4"
  25           "persistentKeepalive"
  26           "peer"
  27         ])
  28         {
  29           peers =
  30             lib.mapAttrsToList
  31               (
  32                 _peerName: peer:
  33                 lib.recursiveUpdate {
  34                   persistentKeepalive =
  35                     peer.persistentKeepalive # Useful if this peer is behind a NAT
  36                       or peers.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
  37                         or null;
  38                 } peer.peer
  39               )
  40               (
  41                 removeAttrs (lib.filterAttrs (
  42                   peerName: _: config.networking.wireguard.${wgIface}.peers.${peerName}.enable
  43                 ) peers) [ hostName ]
  44               );
  45           privateKeyFile = "\$CREDENTIALS_DIRECTORY/privateKey";
  46
  47           # Set the MTU to a minimum
  48           # (IPv4 requires at least 68 but it's 1280 for IPv6).
  49           # This prevents connections to stall on huge packets,
  50           # or delaying their initializing due to TCP PMTU probing.
  51           postSetup = ''
  52             ip link set dev ${wgIface} mtu 1280
  53           '';
  54         };
  55     networking.hosts = lib.mkMerge [
  56       (lib.mapAttrs' (hostName: host: lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) peers)
  57       {
  58         "${peers.losurdo.ipv4}" = [
  59           "nix-extracache.losurdo.wg"
  60           "nix-localcache.losurdo.wg"
  61           "sftp.losurdo.wg"
  62         ];
  63       }
  64     ];
  65     networking.firewall.extraCommands = lib.optionalString (wg.listenPort != null) ''
  66       ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
  67     '';
  68
  69     networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
  70       table inet filter {
  71         chain input-lan {
  72           udp dport ${toString wg.listenPort} counter accept \
  73             comment "Wireguard ${wgIface} input from peers"
  74         }
  75         chain input-net {
  76           udp dport ${toString wg.listenPort} counter accept \
  77             comment "Wireguard ${wgIface} input from peers"
  78         }
  79         chain input-intra {
  80           ${lib.optionalString (peers.${hostName}.peer.endpointsUpdater.enable or false) ''
  81             tcp dport ${
  82               toString peers.${hostName}.listenPort
  83             } ip daddr ${peers.${hostName}.ipv4} counter accept comment "Wireguard ${wgIface} from peers to endpointUpdater"
  84           ''}
  85         }
  86         chain input {
  87           iifname ${wgIface} jump input-intra
  88           iifname ${wgIface} log level warn prefix "input-intra: " counter drop
  89         }
  90
  91         chain output-lan {
  92           udp sport ${toString wg.listenPort} counter accept \
  93             comment "Wireguard ${wgIface} output to peers"
  94         }
  95         chain output-net {
  96           udp sport ${toString wg.listenPort} counter accept \
  97             comment "Wireguard ${wgIface} output to peers"
  98         }
  99         chain output-intra {
 100           ${lib.concatStringsSep "\n" (
 101             lib.mapAttrsToList
 102               (peerName: peer: ''
 103                 ip daddr ${peer.ipv4} \
 104                   tcp dport ${toString peer.listenPort} \
 105                   counter accept \
 106                   comment "Wireguard ${wgIface} to endpointUpdater ${peerName}"
 107               '')
 108               (
 109                 lib.filterAttrs (
 110                   peerName: peer:
 111                   config.networking.wireguard.${wgIface}.peers.${peerName}.enable
 112                   && (peers.${peerName}.peer.endpointsUpdater.enable or false)
 113                 ) peers
 114               )
 115           )}
 116         }
 117         chain output {
 118           oifname ${wgIface} jump output-intra
 119           oifname ${wgIface} log level warn prefix "output-intra: " counter drop
 120         }
 121       }
 122     '';
 123
 124     services.fail2ban.ignoreIP = lib.concatMap (host: host.peer.allowedIPs) (lib.attrValues peers);
 125     networking.networkmanager.unmanaged = [ wgIface ];
 126   };
 127 }