]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/wireguard/intranet.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / machines / losurdo / networking / wireguard / intranet.nix
1 { pkgs, lib, config, machines, machineName, wireguard, ... }:
2 let
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security) gnupg;
5 inherit (config.boot) initrd;
6 wg = "wg-intra";
7 relay = machines.mermet.extraArgs.wireguard."${wg}";
8 peers = lib.filterAttrs (peerName: machine:
9 hasAttr "${wg}" machine.extraArgs.wireguard
10 ) (removeAttrs machines [machineName]);
11 in
12 {
13 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
14 systemd.services."wireguard-${wg}" = {
15 after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
16 requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
17 };
18 networking.nftables.ruleset = ''
19 # Allow initiating connection for ${wg}
20 add rule inet filter fw2net ip daddr ${machines.mermet.extraArgs.ipv4} udp dport ${toString relay.listenPort} counter accept comment "${wg}"
21 #add rule inet filter fw2net udp sport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
22 # Allow peers to initiate connection for ${wg}
23 #add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
24
25 # Hook ${wg} into relevant chains
26 add rule inet filter input iifname "${wg}" jump intra2fw
27 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
28 add rule inet filter output oifname "${wg}" jump fw2intra
29 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
30
31 # ${wg} firewalling
32 add rule inet filter fw2intra counter accept
33 add rule inet filter intra2fw ip saddr ${relay.ipv4} counter accept comment "relay"
34 add rule inet filter forward iifname "${wg}" jump fwd-intra
35 '';
36 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
37 networking.wireguard.interfaces."${wg}" = {
38 ips = [ "${wireguard."${wg}".ipv4}/24" ];
39 listenPort = wireguard."${wg}".listenPort;
40 privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path;
41 peers = lib.mapAttrsToList (peerName: machine:
42 machine.extraArgs.wireguard."${wg}".peer //
43 { inherit (wireguard."${wg}") persistentKeepalive; }
44 ) peers;
45 };
46 networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
47 machine.extraArgs.wireguard."${wg}".ipv4
48 [ "${machineName}.intranet" ]
49 ) peers;
50
51 # Open a wireguard tunnel to a relay
52 # in case the machine is hosted behind a NAT and has no SSH port forwarding.
53 # This enables to send the disk password to the initrd, like that:
54 # ssh -J mermet.sourcephile.fr root@losurdo.intranet -p 2222
55 boot.initrd.secrets."/root/initrd/${wg}.key" = "/root/initrd/${wg}.key";
56 /*
57 installer.ssh-nixos.script = ''
58 # Send the wireguard key of the initrd
59 gpg --decrypt '${gnupg.store}/wireguard/${wg}/privateKey.gpg' |
60 ssh '${config.installer.ssh-nixos.target}' \
61 install -D -m 400 -o root -g root /dev/stdin /root/initrd/${wg}.key
62 '';
63 */
64 boot.initrd.kernelModules = [ "wireguard" ];
65 boot.initrd.extraUtilsCommands = ''
66 #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
67 cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
68 '';
69 boot.initrd.network.postCommands = ''
70 ip link add dev ${wg} type wireguard
71 ip address add ${wireguard."${wg}".ipv4}/24 dev ${wg}
72 wg set ${wg} private-key /root/initrd/${wg}.key \
73 listen-port ${toString wireguard."${wg}".listenPort}
74 ip link set up dev ${wg}
75 wg set ${wg} peer ${relay.peer.publicKey} \
76 endpoint ${machines.mermet.extraArgs.ipv4}:${toString relay.listenPort} \
77 allowed-ips ${relay.ipv4}/32 \
78 persistent-keepalive 5
79 ip route replace ${relay.ipv4}/32 dev ${wg} table main
80 '';
81 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
82 ip link del dev ${wg}
83 '';
84 }