]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/wireguard/wg-intra.nix
Add given password for hosts/mermet/knot/sourcephile.fr/lebureau.conf to store.
[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-intra.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 inherit (config.boot) initrd;
4 wgIface = "wg-intra";
5 peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}/peers.nix");
6 in
7 {
8 # Open a wireguard tunnel to a relay
9 # in case the host is hosted behind a NAT and has no SSH port forwarding.
10 # This enables to send the disk password to the initrd, like that:
11 # ssh -J mermet.sp root@losurdo.sp -p 2222
12 # TODO: use a dedicated interface wg-initrd
13 security.initrd.secrets."${hostName}/wireguard/${wgIface}/privateKey" =
14 "hosts/${hostName}/wireguard/${wgIface}/privateKey.gpg";
15 boot.initrd.kernelModules = [ "wireguard" ];
16 boot.initrd.network.flushBeforeStage2 = true;
17 boot.initrd.systemd = {
18 initrdBin = [
19 pkgs.iproute2
20 pkgs.iputils
21 pkgs.wireguard-tools
22 ];
23 services.systemd-networkd = {
24 serviceConfig.LoadCredential = [ "${wgIface}.key:${config.security.initrd.stage1Dir}/${hostName}/wireguard/${wgIface}/privateKey" ];
25 };
26 network = {
27 netdevs = {
28 "50-${wgIface}" = {
29 netdevConfig = {
30 Kind = "wireguard";
31 Name = wgIface;
32 MTUBytes = "1280";
33 };
34 wireguardConfig = {
35 PrivateKeyFile = "/run/credentials/systemd-networkd.service/${wgIface}.key";
36 ListenPort = peers.${hostName}.listenPort;
37 };
38 wireguardPeers = [
39 {
40 wireguardPeerConfig = with peers.mermet.peer; {
41 AllowedIPs = allowedIPs;
42 Endpoint = endpoint;
43 PersistentKeepalive = peers.${hostName}.persistentKeepalive;
44 PublicKey = publicKey;
45 };
46 }
47 {
48 wireguardPeerConfig = with peers.oignon.peer; {
49 AllowedIPs = allowedIPs;
50 PersistentKeepalive = peers.${hostName}.persistentKeepalive;
51 PublicKey = publicKey;
52 };
53 }
54 ];
55 };
56 };
57 networks.${wgIface} = {
58 name = wgIface;
59 address = peers.${hostName}.ips;
60 /*
61 networkConfig = {
62 IPMasquerade = "ipv4";
63 IPForward = true;
64 };
65 */
66 };
67 };
68 };
69 }