]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireguard/extranet.nix
nftables: fix buggy ip6 nexthdr
[sourcephile-nix.git] / hosts / losurdo / networking / wireguard / extranet.nix
1 { pkgs, lib, config, hosts, hostName, credentials, ... }:
2 let
3 wg = "wg-extra";
4 listenPort = 16843;
5 in
6 {
7 networking.nftables.ruleset = ''
8 # Allow peers to initiate connection for ${wg}
9 add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"
10
11 # forward
12 add chain inet filter fwd-extra
13 add rule inet filter fwd-extra counter accept
14 add rule inet filter forward iifname "${wg}" jump fwd-extra
15
16 # input
17 add chain inet filter extra2fw
18 add rule inet filter extra2fw counter accept
19 add rule inet filter input iifname "${wg}" jump extra2fw
20 add rule inet filter input iifname "${wg}" log level warn prefix "extra2fw: " counter drop
21
22 # output
23 add chain inet filter fw2extra
24 add rule inet filter fw2extra counter accept
25 add rule inet filter output oifname "${wg}" jump fw2extra
26 add rule inet filter output oifname "${wg}" log level warn prefix "fw2extra: " counter drop
27 '';
28 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
29 systemd.services."wireguard-${wg}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${wg}/privateKey.secret";
30 networking.wireguard.interfaces."${wg}" = {
31 # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
32 privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
33 ips = [ "192.168.43.1/32" ];
34 inherit listenPort;
35 socketNamespace = null;
36 /*
37 interfaceNamespace = "extra";
38 preSetup = ''
39 ${pkgs.iproute}/bin/ip netns add extra
40 '';
41 */
42 peers = [
43 { # julm-laptop
44 publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
45 allowedIPs = [ "192.168.43.2/32" ];
46 }
47 { # julm-mobile
48 publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
49 allowedIPs = [ "192.168.43.3/32" ];
50 }
51 ];
52 };
53 }