]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/wireguard/extranet.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / machines / losurdo / networking / wireguard / extranet.nix
1 { pkgs, lib, config, machines, machineName, ... }:
2 let
3 inherit (config.security) gnupg;
4 wg = "wg-extra";
5 listenPort = 16843;
6 in
7 {
8 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
9 systemd.services."wireguard-${wg}" = {
10 after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
11 requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
12 };
13 networking.nftables.ruleset = ''
14 # Allow peers to initiate connection for ${wg}
15 add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"
16
17 # foward
18 add chain inet filter fwd-extra
19 add rule inet filter fwd-extra counter accept
20 add rule inet filter forward iifname "${wg}" jump fwd-extra
21
22 # input
23 add chain inet filter extra2fw
24 add rule inet filter extra2fw counter accept
25 add rule inet filter input iifname "${wg}" jump extra2fw
26 add rule inet filter input iifname "${wg}" log level warn prefix "extra2fw: " counter drop
27
28 # output
29 add chain inet filter fw2extra
30 add rule inet filter fw2extra counter accept
31 add rule inet filter output oifname "${wg}" jump fw2extra
32 add rule inet filter output oifname "${wg}" log level warn prefix "fw2extra: " counter drop
33 '';
34 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
35 networking.wireguard.interfaces."${wg}" = {
36 # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
37 privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path;
38 ips = [ "192.168.43.1/32" ];
39 inherit listenPort;
40 socketNamespace = null;
41 /*
42 interfaceNamespace = "extra";
43 preSetup = ''
44 ${pkgs.iproute}/bin/ip netns add extra
45 '';
46 */
47 peers = [
48 { # julm-laptop
49 publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
50 allowedIPs = [ "192.168.43.2/32" ];
51 }
52 { # julm-mobile
53 publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
54 allowedIPs = [ "192.168.43.3/32" ];
55 }
56 ];
57 };
58 }