hosts/mermet/wireguard/wg-intra.nix

   1 { config, inputs, ... }:
   2 let
   3   wgIface = "wg-intra";
   4 in
   5 {
   6   imports = [
   7     (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
   8   ];
   9   config = {
  10     systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
  11       "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
  12     ];
  13     networking.wireguard.${wgIface}.peers = {
  14       aubergine.enable = true;
  15       losurdo.enable = true;
  16       oignon.enable = true;
  17       patate.enable = true;
  18     };
  19     networking.nftables.ruleset = ''
  20       table inet filter {
  21         chain input-intra {
  22           tcp dport ssh counter accept comment "SSH"
  23           udp dport 60000-60100 counter accept comment "Mosh"
  24         }
  25         chain output-intra {
  26           tcp dport ssh counter accept comment "SSH"
  27           udp dport 60000-60100 counter accept comment "Mosh"
  28           counter accept
  29         }
  30       }
  31     '';
  32   };
  33 }