]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/networking/wireguard.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
wireguard: setup intranet
[sourcephile-nix.git] / machines / mermet / networking / wireguard.nix
1 { pkgs, lib, config, machines, machineName, wireguard, ... }:
2 let
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security.gnupg) secrets;
5 wg = "wg-intranet";
6 listenPort = 43642;
7 peers = lib.filterAttrs (peerName: machine:
8 hasAttr "${wg}" machine.extraArgs.wireguard
9 ) (removeAttrs machines [machineName]);
10 in
11 {
12 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
13 systemd.services."wireguard-${wg}" = {
14 after = [ secrets."wireguard/${wg}/privateKey".service ];
15 requires = [ secrets."wireguard/${wg}/privateKey".service ];
16 };
17 networking.nftables.ruleset = ''
18 # Allow peers to connect to ${wg}
19 add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"
20
21 # Hook ${wg} to input and output chains
22 add rule inet filter input iifname "${wg}" jump intra2fw
23 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
24 add rule inet filter output oifname "${wg}" jump fw2intra
25 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
26
27 # ${wg} firewalling
28 add rule inet filter fw2intra counter accept
29 add rule inet filter intra2fw ip saddr ${machines.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo"
30 '';
31 networking.wireguard.interfaces."${wg}" = {
32 ips = [ "${wireguard."${wg}".ipv4}/24" ];
33 inherit listenPort;
34 privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
35 peers =
36 lib.mapAttrsToList (peerName: machine:
37 let peer = machine.config.networking.wireguard.interfaces."${wg}"; in
38 lib.recursiveUpdate {
39 allowedIPs = ["${machine.extraArgs.wireguard."${wg}".ipv4}/32"];
40 endpoint = "${machine.extraArgs.ipv4}:${toString peer.listenPort}";
41 persistentKeepalive = 25;
42 } machine.extraArgs.wireguard."${wg}".peer
43 ) peers;
44 };
45 networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
46 machine.extraArgs.wireguard."${wg}".ipv4
47 [ "${machineName}.intranet" ]
48 ) peers;
49 }
NixOS configurations for Sourcephile's infrastructure