hosts/losurdo/wireguard/wg-intra.nix

   1 { pkgs, lib, config, inputs, ... }:
   2 let
   3   inherit (config.boot) initrd;
   4   wgIface = "wg-intra";
   5   wg = config.networking.wireguard.interfaces.${wgIface};
   6   wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
   7   relay = wg-intra-peers.mermet;
   8 in
   9 {
  10   imports = [
  11     (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
  12   ];
  13   systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
  14     "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
  15   ];
  16   networking.wireguard.${wgIface}.peers = {
  17     mermet.enable = true;
  18     oignon.enable = true;
  19     patate.enable = true;
  20     carotte.enable = true;
  21     aubergine.enable = true;
  22   };
  23   systemd.services."wireguard-${wgIface}" = {
  24     unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
  25   };
  26   networking.nftables.ruleset = ''
  27     table inet filter {
  28       chain input-intra {
  29         tcp dport ssh counter accept comment "SSH"
  30         udp dport 60000-61000 counter accept comment "Mosh"
  31       }
  32       chain output-intra {
  33         tcp dport { ssh, 2222 } counter accept comment "SSH"
  34         udp dport 60001-60010 counter accept comment "Mosh"
  35         tcp dport { http, https } counter accept comment "HTTP"
  36         tcp dport git counter accept comment "Git"
  37       }
  38     }
  39     table inet nat {
  40       chain postrouting {
  41         iifname ${wgIface} oifname netIface masquerade
  42       }
  43     }
  44   '';
  45   # Apparently required to get NAT reflection.
  46   services.upnpc.enable = true;
  47   services.upnpc.redirections = [
  48     {
  49       description = "WireGuard";
  50       externalPort = wg.listenPort;
  51       protocol = "UDP";
  52       duration = 30 * 60;
  53       service.requiredBy = [ "wireguard-${wgIface}.service" ];
  54       service.before = [ "wireguard-${wgIface}.service" ];
  55     }
  56   ];
  57   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  58
  59   # Open a wireguard tunnel to a relay
  60   # in case the host is hosted behind a NAT and has no SSH port forwarding.
  61   # This enables to send the disk password to the initrd, like that:
  62   # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
  63   # TODO: use a dedicated interface wg-initrd
  64   boot.initrd.secrets."/root/initrd/${wgIface}.key" = "/run/credentials/wireguard-${wgIface}.service/privateKey";
  65   boot.initrd.kernelModules = [ "wireguard" ];
  66   boot.initrd.extraUtilsCommands = ''
  67     #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
  68     cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
  69   '';
  70   boot.initrd.network.postCommands = ''
  71     ip link add dev ${wgIface} type wireguard
  72     ${lib.concatMapStringsSep "\n" (ip: ''
  73       ip address add ${ip} dev ${wgIface}
  74     '') wg.ips}
  75     wg set ${wgIface} private-key /root/initrd/${wgIface}.key \
  76        listen-port ${toString wg.listenPort}
  77     ip link set up dev ${wgIface} mtu 1280
  78     wg set ${wgIface} peer ${relay.peer.publicKey} \
  79        endpoint ${relay.ipv4}:${toString relay.listenPort} \
  80        allowed-ips ${relay.ipv4}/32 \
  81        persistent-keepalive 5
  82     ip route replace ${relay.ipv4}/32 dev ${wgIface} table main
  83   '';
  84   boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
  85     ip link del dev ${wgIface}
  86   '';
  87 }