1 { pkgs, lib, config, hosts, hostName, credentials, ... }:
7 networking.nftables.ruleset = ''
8 # Allow peers to initiate connection for ${wg}
9 add rule inet filter net2fw udp dport ${toString listenPort} counter accept comment "${wg}"
12 add chain inet filter fwd-extra
13 add rule inet filter fwd-extra counter accept
14 add rule inet filter forward iifname "${wg}" jump fwd-extra
17 add chain inet filter extra2fw
18 add rule inet filter extra2fw counter accept
19 add rule inet filter input iifname "${wg}" jump extra2fw
20 add rule inet filter input iifname "${wg}" log level warn prefix "extra2fw: " counter drop
23 add chain inet filter fw2extra
24 add rule inet filter fw2extra counter accept
25 add rule inet filter output oifname "${wg}" jump fw2extra
26 add rule inet filter output oifname "${wg}" log level warn prefix "fw2extra: " counter drop
28 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
29 systemd.services."wireguard-${wg}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${wg}/privateKey.secret";
30 networking.wireguard.interfaces."${wg}" = {
31 # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
32 privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
33 ips = [ "192.168.43.1/32" ];
35 socketNamespace = null;
37 interfaceNamespace = "extra";
39 ${pkgs.iproute}/bin/ip netns add extra
44 publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
45 allowedIPs = [ "192.168.43.2/32" ];
48 publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
49 allowedIPs = [ "192.168.43.3/32" ];
sourcephile / git / sourcephile-nix.git / blob