]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking/wireguard.nix
nftables: fix buggy ip6 nexthdr
[sourcephile-nix.git] / hosts / mermet / networking / wireguard.nix
1 { pkgs, lib, config, hostName, inputs, ... }:
2 let
3 inherit (config.security.gnupg) secrets;
4 iface = "wg-intra";
5 wg = config.networking.wireguard.interfaces.${iface};
6 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
7 in
8 {
9 imports = [
10 (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
11 ];
12 config = {
13 networking.wireguard.${iface}.peers = {
14 losurdo.enable = true;
15 oignon.enable = true;
16 patate.enable = true;
17 };
18 networking.nftables.ruleset = ''
19 # Allow peers to initiate connection for ${iface}
20 add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
21
22 # Hook ${iface} into relevant chains
23 add rule inet filter input iifname "${iface}" jump intra2fw
24 add rule inet filter input iifname "${iface}" log level warn prefix "intra2fw: " counter drop
25 add rule inet filter output oifname "${iface}" jump fw2intra
26 add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
27
28 # ${iface} firewalling
29 add rule inet filter fw2intra counter accept
30 add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
31 add rule inet filter intra2fw ip saddr ${wg-intra-peers.losurdo.ipv4} counter accept comment "losurdo"
32 '';
33 };
34 }