{ pkgs, hostName, ... }:
let
- peers = import ../../../nixos/profiles/wireguard/wg-intra/peers.nix;
- network = import ../networking/names-and-numbers.nix;
+ peers = import ../../nixos/profiles/wireguard/wg-intra/peers.nix;
+ network = import ./networking/names-and-numbers.nix;
in
{
systemd.services."wireguard-wg-intra".serviceConfig.LoadCredentialEncrypted = [
# FIXME: this is enough to connect to the LTE router,
# but not enough to connect the wg-intra hosts behind the LTE router.
systemd.services.fix-wireguard-behind-lte = {
- wantedBy = [ "multi-user.target" ];
- startAt = "*:0/5"; # every 5 min
- path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
- unitConfig = { StartLimitIntervalSec = 0; };
+ after = [ "NetworkManager-wait-online.service" ];
+ requires = [ "NetworkManager-wait-online.service" ];
+ wantedBy = [ "network-online.target" ];
+ #startAt = "*:0/5"; # every 5 min
+ path = with pkgs; [
+ iproute2
+ curl # gnused socat
+ ];
+ unitConfig = {
+ StartLimitIntervalSec = 0;
+ };
serviceConfig = {
Type = "simple";
User = "root";
IPAddressAllow = [ peers.mermet.ipv4 ];
- RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ "AF_NETLINK"
+ ];
ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
- set -eux
- # FIXME: lift mermet's restriction of only one connection at a time
- #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
- externalIP=$(curl -s4L https://icanhazip.com)
- test -z "''${externalIP-}" ||
- ip addr replace "$externalIP"/32 dev ${network.lteIface}
+ set -ux
+ while sleep 300; do
+ # FIXME: lift mermet's restriction of only one connection at a time
+ #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
+ externalIP=$(curl -s4L https://icanhazip.com)
+ test -z "''${externalIP-}" ||
+ ip addr replace "$externalIP"/32 dev ${network.lteIface}
+ done
'';
Restart = "on-failure";
RestartSec = "30s";
sourcephile / git / julm / julm-nix.git / blobdiff