]> Git — Sourcephile - julm/julm-nix.git/blob - networking/wireguard/wg-intra.nix
carotte: add to admin hosts
[julm/julm-nix.git] / networking / wireguard / wg-intra.nix
1 { pkgs, lib, config, hostName, private, ... }:
2 let
3 iface = "wg-intra";
4 hosts = import wg-intra/hosts.nix;
5 wg = config.networking.wireguard.interfaces.${iface};
6 in
7 {
8 networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
9 (removeAttrs hosts.${hostName} ["ipv4" "persistentKeepalive" "peer"])
10 {
11 peers =
12 lib.mapAttrsToList (peerName: peer: lib.recursiveUpdate
13 { persistentKeepalive =
14 peer.persistentKeepalive # Useful if this peer is behind a NAT
15 or hosts.${hostName}.persistentKeepalive # Useful if this host is behind a NAT
16 or null; }
17 peer.peer
18 ) (removeAttrs hosts [hostName]);
19 privateKeyFile = lib.mkDefault "${private}/${hostName}/wireguard/${iface}/privateKey";
20
21 # Set the MTU to a minimum
22 # (IPv4 requires at least 68 but it's 1280 for IPv6).
23 # This prevents connections to stall on huge packets,
24 # or delaying their initializing due to TCP PMTU probing.
25 postSetup = ''
26 ip link set dev ${iface} mtu 1280
27 '';
28 };
29 networking.hosts = lib.mkMerge [
30 (lib.mapAttrs' (hostName: host:
31 lib.nameValuePair host.ipv4 [ "${hostName}.wg" ]) hosts)
32 { "${hosts.losurdo.ipv4}" = [
33 "nix-extracache.losurdo.wg"
34 "nix-localcache.losurdo.wg"
35 ]; }
36 ];
37 networking.firewall.extraCommands = ''
38 ip46tables -A nixos-fw -i ${iface} -p tcp -m tcp --dport 22 -j ACCEPT
39 '' + lib.optionalString (wg.listenPort != null) ''
40 ip46tables -A nixos-fw -i any -p udp -m udp --dport ${toString wg.listenPort} -j ACCEPT
41 '';
42 services.fail2ban.ignoreIP = lib.concatMap
43 (host: host.peer.allowedIPs)
44 (lib.attrValues hosts);
45 }