]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/wireguard/wg-intra.nix
reuse: update
[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-intra.nix
1 { pkgs, lib, config, inputs, ... }:
2 let
3 inherit (config.boot) initrd;
4 netIface = "enp5s0";
5 wgIface = "wg-intra";
6 wg = config.networking.wireguard.interfaces.${wgIface};
7 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
8 relay = wg-intra-peers.mermet;
9 in
10 {
11 imports = [
12 (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
13 ];
14 networking.wireguard.${wgIface}.peers = {
15 mermet.enable = true;
16 oignon.enable = true;
17 patate.enable = true;
18 carotte.enable = true;
19 aubergine.enable = true;
20 };
21 systemd.services."wireguard-${wgIface}" = {
22 unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
23 };
24 networking.nftables.ruleset = ''
25 table inet filter {
26 chain input-intra {
27 tcp dport ssh counter accept comment "SSH"
28 udp dport 60000-61000 counter accept comment "Mosh"
29 }
30 chain output-intra {
31 tcp dport { ssh, 2222 } counter accept comment "SSH"
32 udp dport 60001-60010 counter accept comment "Mosh"
33 tcp dport { http, https } counter accept comment "HTTP"
34 tcp dport git counter accept comment "Git"
35 }
36 }
37 table inet nat {
38 chain postrouting {
39 iifname ${wgIface} oifname netIface masquerade
40 }
41 }
42 '';
43 # Apparently required to get NAT reflection.
44 services.upnpc.redirections = [
45 { description = "WireGuard"; externalPort = wg.listenPort; protocol = "UDP"; duration = 30 * 60;
46 service.requiredBy = [ "wireguard-${wgIface}.service" ];
47 service.before = [ "wireguard-${wgIface}.service" ];
48 }
49 ];
50 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
51
52 # Open a wireguard tunnel to a relay
53 # in case the host is hosted behind a NAT and has no SSH port forwarding.
54 # This enables to send the disk password to the initrd, like that:
55 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
56 # TODO: use a dedicated interface wg-initrd
57 boot.initrd.secrets."/root/initrd/${wgIface}.key" = "/run/credentials/wireguard-${wgIface}.service/privateKey";
58 boot.initrd.kernelModules = [ "wireguard" ];
59 boot.initrd.extraUtilsCommands = ''
60 #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
61 cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
62 '';
63 boot.initrd.network.postCommands = ''
64 ip link add dev ${wgIface} type wireguard
65 ${lib.concatMapStringsSep "\n" (ip: ''
66 ip address add ${ip} dev ${wgIface}
67 '') wg.ips}
68 wg set ${wgIface} private-key /root/initrd/${wgIface}.key \
69 listen-port ${toString wg.listenPort}
70 ip link set up dev ${wgIface} mtu 1280
71 wg set ${wgIface} peer ${relay.peer.publicKey} \
72 endpoint ${relay.ipv4}:${toString relay.listenPort} \
73 allowed-ips ${relay.ipv4}/32 \
74 persistent-keepalive 5
75 ip route replace ${relay.ipv4}/32 dev ${wgIface} table main
76 '';
77 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
78 ip link del dev ${wgIface}
79 '';
80 }