systemd-creds: reencrypt when .gpg newer than .cred

[julm/julm-nix.git] / hosts / aubergine / wireguard / wg-intra.nix

{ pkgs, hostName, ... }:
let
  peers = import ../../../nixos/profiles/wireguard/wg-intra/peers.nix;
  network = import ../networking/names-and-numbers.nix;
in
{
  networking.wireguard.wg-intra.peers = {
    mermet.enable = true;
    losurdo.enable = true;
    oignon.enable = true;
    patate.enable = true;
  };
  # FIXME: this is enough to connect to the LTE router,
  # but not enough to connect the wg-intra hosts behind the LTE router.
  systemd.services.fix-wireguard-behind-lte = {
    wantedBy = [ "multi-user.target" ];
    startAt = "*:0/5"; # every 5 min
    path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
    unitConfig = { StartLimitIntervalSec = 0; };
    serviceConfig = {
      Type = "simple";
      User = "root";
      IPAddressAllow = [ peers.mermet.ipv4 ];
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
      ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
        set -eux
        # FIXME: lift mermet's restriction of only one connection at a time
        #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
        externalIP=$(curl -s4L https://icanhazip.com)
        test -z "''${externalIP-}" ||
        ip addr replace "$externalIP"/32 dev ${network.lteIface}
      '';
      Restart = "on-failure";
      RestartSec = "30s";
    };
  };
}