table inet filter {
chain input-intra {
tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
+ udp dport 60001-60010 counter accept comment "Mosh"
}
chain input-net {
}
chain output-lan {
tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60001-60100 counter accept comment "Mosh"
tcp dport bootps counter accept comment "DHCP"
+ tcp dport { 4444, 5555 } counter accept
}
chain output-intra {
tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60001-60010 counter accept comment "Mosh"
+ udp dport 60001-60100 counter accept comment "Mosh"
tcp dport { http, https } counter accept comment "HTTP"
tcp dport git counter accept comment "Git"
}
chain output-net {
tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60001-60010 counter accept comment "Mosh"
+ udp dport 60001-60100 counter accept comment "Mosh"
udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
tcp dport { http, https } counter accept comment "HTTP"
{ pkgs, lib, config, hostName, credentials, ... }:
let
- iface = "wg-intra";
+ wgIface = "wg-intra";
peers = import wg-intra/peers.nix;
- wg = config.networking.wireguard.interfaces.${iface};
+ wg = config.networking.wireguard.interfaces.${wgIface};
in
{
# Each peer select the other peers allowed to connect to it
-options.networking.wireguard.${iface}.peers =
+options.networking.wireguard.${wgIface}.peers =
lib.genAttrs (lib.attrNames peers) (peerName: {
enable = lib.mkEnableOption "this peer";
});
config = {
-systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
-networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
+systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${wgIface}/privateKey.secret";
+networking.wireguard.interfaces.${wgIface} = lib.recursiveUpdate
(removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
{
peers =
}
peer.peer)
(removeAttrs
- (lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
+ (lib.filterAttrs (peerName: _: config.networking.wireguard.${wgIface}.peers.${peerName}.enable) peers)
[hostName]);
privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
# This prevents connections to stall on huge packets,
# or delaying their initializing due to TCP PMTU probing.
postSetup = ''
- ip link set dev ${iface} mtu 1280
+ ip link set dev ${wgIface} mtu 1280
'';
};
networking.hosts = lib.mkMerge [
networking.nftables.ruleset = lib.optionalString (wg.listenPort != null) ''
table inet filter {
chain input-lan {
- udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
+ udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} input from peers"
}
chain input-net {
- udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} input from peers"
+ udp dport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} input from peers"
}
chain input-intra {
${lib.optionalString (peers.${hostName}.peer.endpointsUpdater.enable or false) ''
- tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} counter accept comment "Wireguard ${iface} from peers to endpointUpdater"
+ tcp dport ${toString peers.${hostName}.listenPort} ip daddr ${peers.${hostName}.ipv4} counter accept comment "Wireguard ${wgIface} from peers to endpointUpdater"
''
}
}
chain input {
- iifname ${iface} jump input-intra
- iifname ${iface} log level warn prefix "input-intra: " counter drop
+ iifname ${wgIface} jump input-intra
+ iifname ${wgIface} log level warn prefix "input-intra: " counter drop
}
chain output-lan {
- udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
+ udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} output to peers"
}
chain output-net {
- udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${iface} output to peers"
+ udp sport ${toString wg.listenPort} counter accept comment "Wireguard ${wgIface} output to peers"
}
chain output-intra {
${lib.concatStringsSep "\n"
(lib.mapAttrsToList (peerName: peer: ''
- tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} counter accept comment "Wireguard ${iface} to endpointUpdater ${peerName}"
+ tcp dport ${toString peer.listenPort} ip daddr ${peer.ipv4} counter accept comment "Wireguard ${wgIface} to endpointUpdater ${peerName}"
'')
(lib.filterAttrs (peerName: peer:
- config.networking.wireguard.${iface}.peers.${peerName}.enable &&
+ config.networking.wireguard.${wgIface}.peers.${peerName}.enable &&
(peers.${peerName}.peer.endpointsUpdater.enable or false))
peers))
}
}
chain output {
- oifname ${iface} jump output-intra
- oifname ${iface} log level warn prefix "output-intra: " counter drop
+ oifname ${wgIface} jump output-intra
+ oifname ${wgIface} log level warn prefix "output-intra: " counter drop
}
}
'';
services.fail2ban.ignoreIP = lib.concatMap
(host: host.peer.allowedIPs)
(lib.attrValues peers);
-networking.networkmanager.unmanaged = ["wg-intra"];
+networking.networkmanager.unmanaged = [ wgIface ];
+systemd.services.sshd.after = ["wireguard-${wgIface}.service"];
};
}
sourcephile / git / julm / julm-nix.git / commitdiff