hosts/losurdo/networking/wireguard/intranet.nix

   1 { pkgs, lib, config, inputs, ... }:
   2 let
   3   inherit (config.boot) initrd;
   4   iface = "wg-intra";
   5   wg = config.networking.wireguard.interfaces.${iface};
   6   wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
   7   relay = wg-intra-peers.mermet;
   8 in
   9 {
  10 imports = [
  11   (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
  12 ];
  13 networking.wireguard.${iface}.peers = {
  14   mermet.enable = true;
  15   oignon.enable = true;
  16   patate.enable = true;
  17   carotte.enable = true;
  18 };
  19 networking.wireguard.interfaces.${iface} = {
  20   privateKeyFile = "/root/secrets/wireguard/${iface}/privateKey";
  21 };
  22 systemd.services."wireguard-${iface}" = {
  23   unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
  24 };
  25 networking.nftables.ruleset = ''
  26   # Allow initiating connection to and from other peers
  27   add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "WireGuard ${iface} output to peers"
  28   add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "WireGuard ${iface} input from peers"
  29
  30   # Hook ${iface} into relevant chains
  31   add rule inet filter input  iifname "${iface}" jump intra2fw
  32   add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
  33   add rule inet filter output oifname "${iface}" jump fw2intra
  34   add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
  35
  36   # ${iface} firewalling
  37   add rule inet filter fw2intra counter accept
  38   ${lib.concatMapStringsSep "\n" (ip: ''
  39     add rule inet filter intra2fw ip saddr ${ip} counter accept comment "relay"
  40   '') relay.ips}
  41   add rule inet filter forward iifname "${iface}" jump fwd-intra
  42 '';
  43 # Apparently required to get NAT reflection.
  44 services.upnpc.redirections = [
  45   { description = "WireGuard"; externalPort = wg.listenPort; protocol = "UDP"; duration = 30 * 60;
  46     service.requiredBy = [ "wireguard-${iface}.service" ];
  47     service.before     = [ "wireguard-${iface}.service" ];
  48   }
  49 ];
  50 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  51
  52 # Open a wireguard tunnel to a relay
  53 # in case the host is hosted behind a NAT and has no SSH port forwarding.
  54 # This enables to send the disk password to the initrd, like that:
  55 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
  56 boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key";
  57 boot.initrd.kernelModules = [ "wireguard" ];
  58 boot.initrd.extraUtilsCommands = ''
  59   #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
  60   cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
  61 '';
  62 boot.initrd.network.postCommands = ''
  63   ip link add dev ${iface} type wireguard
  64   ${lib.concatMapStringsSep "\n" (ip: ''
  65     ip address add ${ip} dev ${iface}
  66   '') wg.ips}
  67   wg set ${iface} private-key /root/initrd/${iface}.key \
  68      listen-port ${toString wg.listenPort}
  69   ip link set up dev ${iface} mtu 1280
  70   wg set ${iface} peer ${relay.peer.publicKey} \
  71      endpoint ${relay.ipv4}:${toString relay.listenPort} \
  72      allowed-ips ${relay.ipv4}/32 \
  73      persistent-keepalive 5
  74   ip route replace ${relay.ipv4}/32 dev ${iface} table main
  75 '';
  76 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
  77   ip link del dev ${iface}
  78 '';
  79 }