]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/wireguard/wg-intra.nix
carotte: apply git-crypt
[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-intra.nix
1 { pkgs, lib, config, inputs, ... }:
2 let
3 inherit (config.boot) initrd;
4 wgIface = "wg-intra";
5 wg = config.networking.wireguard.interfaces.${wgIface};
6 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
7 relay = wg-intra-peers.mermet;
8 in
9 {
10 imports = [
11 (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
12 ];
13 systemd.services."wireguard-${wgIface}" = {
14 serviceConfig = {
15 LoadCredentialEncrypted = [ "privateKey:${./. + "/${wgIface}/privateKey.cred"}" ];
16 };
17 unitConfig = {
18 Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
19 };
20 };
21 networking.wireguard.${wgIface}.peers = {
22 mermet.enable = true;
23 oignon.enable = true;
24 patate.enable = true;
25 carotte.enable = true;
26 aubergine.enable = true;
27 };
28 networking.nftables.ruleset = ''
29 table inet filter {
30 chain input-intra {
31 tcp dport ssh counter accept comment "SSH"
32 udp dport 60000-61000 counter accept comment "Mosh"
33 }
34 chain output-intra {
35 tcp dport { ssh, 2222 } counter accept comment "SSH"
36 udp dport 60001-60010 counter accept comment "Mosh"
37 tcp dport { http, https } counter accept comment "HTTP"
38 tcp dport git counter accept comment "Git"
39 }
40 }
41 table inet nat {
42 chain postrouting {
43 iifname ${wgIface} oifname netIface masquerade
44 }
45 }
46 '';
47 # Apparently required to get NAT reflection.
48 services.upnpc.enable = true;
49 services.upnpc.redirections = [
50 {
51 description = "WireGuard";
52 externalPort = wg.listenPort;
53 protocol = "UDP";
54 duration = 30 * 60;
55 service.requiredBy = [ "wireguard-${wgIface}.service" ];
56 service.before = [ "wireguard-${wgIface}.service" ];
57 }
58 ];
59 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
60
61 # Open a wireguard tunnel to a relay
62 # in case the host is hosted behind a NAT and has no SSH port forwarding.
63 # This enables to send the disk password to the initrd, like that:
64 # ssh -J mermet.wg root@losurdo.wg -p 2222
65 # TODO: use a dedicated interface wg-initrd
66 boot.initrd.secrets."/root/initrd/${wgIface}.key" = "/run/credentials/wireguard-${wgIface}.service/privateKey";
67 boot.initrd.kernelModules = [ "wireguard" ];
68 systemd.network = {
69 netdevs = {
70 "50-${wgIface}" = {
71 netdevConfig = {
72 Kind = "wireguard";
73 Name = wgIface;
74 MTUBytes = "1280";
75 };
76 wireguardConfig = {
77 PrivateKeyFile = "/root/initrd/${wgIface}.key";
78 ListenPort = wg.listenPort;
79 };
80 wireguardPeers = [
81 {
82 wireguardPeerConfig = {
83 PublicKey = relay.peer.publicKey;
84 AllowedIPs = [ "${relay.ipv4}/32" ];
85 PersistentKeepalive = 5;
86 };
87 }
88 ];
89 };
90 };
91 networks.wgIface = {
92 name = wgIface;
93 address = wg.ips;
94 };
95 };
96 }