hosts/mermet/wireguard/wg-intra.nix

   1 { config, inputs, ... }:
   2 let
   3   wgIface = "wg-intra";
   4 in
   5 {
   6   imports = [
   7     (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
   8   ];
   9   config = {
  10     systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
  11       "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
  12     ];
  13     networking.wireguard.${wgIface}.peers = {
  14       aubergine.enable = true;
  15       courge.enable = true;
  16       losurdo.enable = true;
  17       oignon.enable = true;
  18       patate.enable = true;
  19     };
  20     networking.nftables.ruleset = ''
  21       table inet filter {
  22         chain input-intra {
  23           tcp dport ssh counter accept comment "SSH"
  24           udp dport 60000-60100 counter accept comment "Mosh"
  25         }
  26         chain output-intra {
  27           tcp dport ssh counter accept comment "SSH"
  28           udp dport 60000-60100 counter accept comment "Mosh"
  29           counter accept
  30         }
  31       }
  32     '';
  33   };
  34 }