]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/wireguard/wg-intra.nix
systemd-creds: reencrypt when .gpg newer than .cred
[julm/julm-nix.git] / hosts / aubergine / wireguard / wg-intra.nix
1 { pkgs, hostName, ... }:
2 let
3 peers = import ../../../nixos/profiles/wireguard/wg-intra/peers.nix;
4 network = import ../networking/names-and-numbers.nix;
5 in
6 {
7 networking.wireguard.wg-intra.peers = {
8 mermet.enable = true;
9 losurdo.enable = true;
10 oignon.enable = true;
11 patate.enable = true;
12 };
13 # FIXME: this is enough to connect to the LTE router,
14 # but not enough to connect the wg-intra hosts behind the LTE router.
15 systemd.services.fix-wireguard-behind-lte = {
16 wantedBy = [ "multi-user.target" ];
17 startAt = "*:0/5"; # every 5 min
18 path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
19 unitConfig = { StartLimitIntervalSec = 0; };
20 serviceConfig = {
21 Type = "simple";
22 User = "root";
23 IPAddressAllow = [ peers.mermet.ipv4 ];
24 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
25 ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
26 set -eux
27 # FIXME: lift mermet's restriction of only one connection at a time
28 #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
29 externalIP=$(curl -s4L https://icanhazip.com)
30 test -z "''${externalIP-}" ||
31 ip addr replace "$externalIP"/32 dev ${network.lteIface}
32 '';
33 Restart = "on-failure";
34 RestartSec = "30s";
35 };
36 };
37 }