1 { pkgs, lib, config, hostName, inputs, ... }:
3 inherit (config.security.gnupg) secrets;
5 wg = config.networking.wireguard.interfaces.${iface};
6 wg-intra-hosts = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/hosts.nix");
10 (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
13 networking.wireguard.interfaces.${iface} = {
14 privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
16 security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
17 systemd.services."wireguard-${iface}" = {
18 after = [ secrets."wireguard/${iface}/privateKey".service ];
19 requires = [ secrets."wireguard/${iface}/privateKey".service ];
21 networking.nftables.ruleset = ''
22 # Allow peers to initiate connection for ${iface}
23 add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
25 # Hook ${iface} into relevant chains
26 add rule inet filter input iifname "${iface}" jump intra2fw
27 add rule inet filter input iifname "${iface}" log level warn prefix "intra2fw: " counter drop
28 add rule inet filter output oifname "${iface}" jump fw2intra
29 add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
31 # ${iface} firewalling
32 add rule inet filter fw2intra counter accept
33 add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
34 add rule inet filter intra2fw ip saddr ${wg-intra-hosts.losurdo.ipv4} counter accept comment "losurdo"