# FIXME: this is enough to connect to the LTE router,
# but not enough to connect the wg-intra hosts behind the LTE router.
systemd.services.fix-wireguard-behind-lte = {
- wantedBy = [ "multi-user.target" ];
- startAt = "*:0/5"; # every 5 min
+ after = [ "NetworkManager-wait-online.service" ];
+ requires = [ "NetworkManager-wait-online.service" ];
+ wantedBy = [ "network-online.target" ];
+ #startAt = "*:0/5"; # every 5 min
path = with pkgs; [ iproute2 curl /*gnused socat*/ ];
unitConfig = { StartLimitIntervalSec = 0; };
serviceConfig = {
IPAddressAllow = [ peers.mermet.ipv4 ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
- set -eux
- # FIXME: lift mermet's restriction of only one connection at a time
- #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
- externalIP=$(curl -s4L https://icanhazip.com)
- test -z "''${externalIP-}" ||
- ip addr replace "$externalIP"/32 dev ${network.lteIface}
+ set -ux
+ while sleep 300; do
+ # FIXME: lift mermet's restriction of only one connection at a time
+ #externalIP=$(socat - TCP:${peers.mermet.ipv4}:${toString peers.mermet.listenPort} |
+ externalIP=$(curl -s4L https://icanhazip.com)
+ test -z "''${externalIP-}" ||
+ ip addr replace "$externalIP"/32 dev ${network.lteIface}
+ done
'';
Restart = "on-failure";
RestartSec = "30s";