aubergine: wg-intra: fix Wireguard behind LTE

diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix
index 342b392e9e65b2df7d9fc0014eaf1d859c0563dc..0ef35f884af14b955f5e30c5f3df12ed076b445a 100644 (file)
--- a/hosts/aubergine/networking.nix
+++ b/hosts/aubergine/networking.nix
@@ -8,6 +8,7 @@ with (import networking/names-and-numbers.nix);
     networking/wifi.nix
     networking/lte.nix
     networking/nftables.nix
+    wireguard/wg-intra.nix
     ../../nixos/profiles/dnscrypt-proxy2.nix
     ../../nixos/profiles/wireguard/wg-intra.nix
     ../../nixos/profiles/networking/ssh.nix
@@ -47,11 +48,4 @@ with (import networking/names-and-numbers.nix);
     "${wifiIPv4}.1:53"
   ];
 
-  networking.wireguard.wg-intra.peers = {
-    mermet.enable = true;
-    losurdo.enable = true;
-    oignon.enable = true;
-    patate.enable = true;
-  };
-
 }

diff --git a/hosts/aubergine/wireguard/wg-intra.nix b/hosts/aubergine/wireguard/wg-intra.nix
new file mode 100644 (file)
index 0000000..3dee8f7
--- /dev/null
+++ b/hosts/aubergine/wireguard/wg-intra.nix
@@ -0,0 +1,27 @@
+{ hostName, ... }:
+let
+  peers = import ../../../nixos/profiles/wireguard/wg-intra/peers.nix;
+  network = import ../networking/names-and-numbers.nix;
+in
+{
+  networking.wireguard.wg-intra.peers = {
+    mermet.enable = true;
+    losurdo.enable = true;
+    oignon.enable = true;
+    patate.enable = true;
+  };
+  systemd.services.fix-wireguard-behind-lte = {
+    wantedBy = [ "multi-user.target" ];
+    startAt = "*:0/5"; # every 5 min
+    path = with pkgs; [ gnused iproute2 socat ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = pkgs.writeShellScript "fix-wireguard-behind-lte" ''
+        set -eux
+        ip addr replace "$(socat - TCP:mermet.wg:${peers.mermet.listenPort} | sed -ne 's/^${peers.${hostName}.peer.publicKey}\s\([^:]*\):.*/\1/p')"/32 dev ${network.lteIface}
+      '';
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+  };
+}