hosts/losurdo/wireguard/wg-intra.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   inherit (config.boot) initrd;
   4   wgIface = "wg-intra";
   5   peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}/peers.nix");
   6 in
   7 {
   8   # Open a wireguard tunnel to a relay
   9   # in case the host is hosted behind a NAT and has no SSH port forwarding.
  10   # This enables to send the disk password to the initrd, like that:
  11   # ssh -J mermet.sp root@losurdo.sp -p 2222
  12   # TODO: use a dedicated interface wg-initrd
  13   security.initrd.secrets."${hostName}/wireguard/${wgIface}/privateKey" =
  14     "hosts/${hostName}/wireguard/${wgIface}/privateKey.gpg";
  15   boot.initrd.kernelModules = [ "wireguard" ];
  16   boot.initrd.network.flushBeforeStage2 = true;
  17   boot.initrd.systemd = {
  18     initrdBin = [
  19       pkgs.iproute2
  20       pkgs.iputils
  21       pkgs.wireguard-tools
  22     ];
  23     services.systemd-networkd = {
  24       serviceConfig.LoadCredential = [ "${wgIface}.key:${config.security.initrd.stage1Dir}/${hostName}/wireguard/${wgIface}/privateKey" ];
  25     };
  26     network = {
  27       netdevs = {
  28         "50-${wgIface}" = {
  29           netdevConfig = {
  30             Kind = "wireguard";
  31             Name = wgIface;
  32             MTUBytes = "1280";
  33           };
  34           wireguardConfig = {
  35             PrivateKeyFile = "/run/credentials/systemd-networkd.service/${wgIface}.key";
  36             ListenPort = peers.${hostName}.listenPort;
  37           };
  38           wireguardPeers = [
  39             {
  40               wireguardPeerConfig = with peers.mermet.peer; {
  41                 AllowedIPs = allowedIPs;
  42                 Endpoint = endpoint;
  43                 PersistentKeepalive = peers.${hostName}.persistentKeepalive;
  44                 PublicKey = publicKey;
  45               };
  46             }
  47             {
  48               wireguardPeerConfig = with peers.oignon.peer; {
  49                 AllowedIPs = allowedIPs;
  50                 PersistentKeepalive = peers.${hostName}.persistentKeepalive;
  51                 PublicKey = publicKey;
  52               };
  53             }
  54           ];
  55         };
  56       };
  57       networks.${wgIface} = {
  58         name = wgIface;
  59         address = peers.${hostName}.ips;
  60         /*
  61         networkConfig = {
  62           IPMasquerade = "ipv4";
  63           IPForward = true;
  64         };
  65         */
  66       };
  67     };
  68   };
  69 }