1 { pkgs, lib, config, machines, machineName, wireguard, ... }:
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security.gnupg) secrets;
6 peers = lib.filterAttrs (peerName: machine:
7 hasAttr "${wg}" machine.extraArgs.wireguard
8 ) (removeAttrs machines [machineName]);
11 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
12 systemd.services."wireguard-${wg}" = {
13 after = [ secrets."wireguard/${wg}/privateKey".service ];
14 requires = [ secrets."wireguard/${wg}/privateKey".service ];
16 networking.nftables.ruleset = ''
17 # Allow output connection of ${wg}
18 add rule inet filter fw2net udp dport ${toString machines.mermet.config.networking.wireguard.interfaces."${wg}".listenPort} counter accept comment "${wg}"
20 # Hook ${wg} to input and output chains
21 add rule inet filter input iifname "${wg}" jump intra2fw
22 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
23 add rule inet filter output oifname "${wg}" jump fw2intra
24 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
27 add rule inet filter fw2intra counter accept
28 add rule inet filter intra2fw ip saddr ${machines.mermet.extraArgs.wireguard."${wg}".ipv4} counter accept comment "mermet"
30 networking.wireguard.interfaces."${wg}" = {
31 ips = [ "${wireguard."${wg}".ipv4}/24" ];
33 privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
35 lib.mapAttrsToList (peerName: machine:
36 let peer = machine.config.networking.wireguard.interfaces."${wg}"; in
38 allowedIPs = ["${machine.extraArgs.wireguard."${wg}".ipv4}/32"];
39 endpoint = "${machine.extraArgs.ipv4}:${toString peer.listenPort}";
40 persistentKeepalive = 25;
41 } machine.extraArgs.wireguard."${wg}".peer
45 networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
46 machine.extraArgs.wireguard."${wg}".ipv4
47 [ "${machineName}.intranet" ]