1 { pkgs, lib, config, machines, machineName, wireguard, ... }:
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security.gnupg) secrets;
7 peers = lib.filterAttrs (peerName: machine:
8 hasAttr "${wg}" machine.extraArgs.wireguard
9 ) (removeAttrs machines [machineName]);
12 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
13 systemd.services."wireguard-${wg}" = {
14 after = [ secrets."wireguard/${wg}/privateKey".service ];
15 requires = [ secrets."wireguard/${wg}/privateKey".service ];
17 networking.nftables.ruleset = ''
18 # Allow peers to connect to ${wg}
19 add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"
21 # Hook ${wg} to input and output chains
22 add rule inet filter input iifname "${wg}" jump intra2fw
23 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
24 add rule inet filter output oifname "${wg}" jump fw2intra
25 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
28 add rule inet filter fw2intra counter accept
29 add rule inet filter intra2fw ip saddr ${machines.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo"
31 networking.wireguard.interfaces."${wg}" = {
32 ips = [ "${wireguard."${wg}".ipv4}/24" ];
34 privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
36 lib.mapAttrsToList (peerName: machine:
37 let peer = machine.config.networking.wireguard.interfaces."${wg}"; in
39 allowedIPs = ["${machine.extraArgs.wireguard."${wg}".ipv4}/32"];
40 endpoint = "${machine.extraArgs.ipv4}:${toString peer.listenPort}";
41 persistentKeepalive = 25;
42 } machine.extraArgs.wireguard."${wg}".peer
45 networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
46 machine.extraArgs.wireguard."${wg}".ipv4
47 [ "${machineName}.intranet" ]