hosts/losurdo/networking/wireguard/intranet.nix

   1 { pkgs, lib, config, hosts, hostName, wireguard, ... }:
   2 let
   3   inherit (builtins) hasAttr removeAttrs;
   4   inherit (config.security) gnupg;
   5   inherit (config.boot) initrd;
   6   wg = "wg-intra";
   7   relay = hosts.mermet.extraArgs.wireguard.${wg};
   8   peers = lib.filterAttrs (peerName: host:
   9     hasAttr "${wg}" host.extraArgs.wireguard
  10     ) (removeAttrs hosts [hostName]) // {
  11     "oignon".extraArgs.wireguard.${wg} = rec {
  12       ipv4 = "192.168.42.3";
  13       peer = {
  14         publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
  15         allowedIPs = [ "${ipv4}/32" ];
  16       };
  17     };
  18   };
  19 in
  20 {
  21 security.gnupg.secrets."wireguard/${wg}/privateKey" = {
  22 /*
  23   systemdConfig.serviceConfig = {
  24     before     = [ "wireguard-${wg}.service" ];
  25     wantedBy   = [ "wireguard-${wg}.service" ];
  26     requiredBy = [ "wireguard-${wg}.service" ];
  27   };
  28 */
  29 };
  30 systemd.services."wireguard-${wg}" = {
  31   after    = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
  32   requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
  33 };
  34 networking.nftables.ruleset = ''
  35   # Allow initiating connection for ${wg}
  36   add rule inet filter fw2net ip daddr ${hosts.mermet.extraArgs.ipv4} udp dport ${toString relay.listenPort} counter accept comment "${wg}"
  37   #add rule inet filter fw2net udp sport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
  38   # Allow peers to initiate connection for ${wg}
  39   add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
  40
  41   # Hook ${wg} into relevant chains
  42   add rule inet filter input  iifname "${wg}" jump intra2fw
  43   add rule inet filter input  iifname "${wg}" log level warn prefix "intra2fw: " counter drop
  44   add rule inet filter output oifname "${wg}" jump fw2intra
  45   add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
  46
  47   # ${wg} firewalling
  48   add rule inet filter fw2intra counter accept
  49   add rule inet filter intra2fw ip saddr ${relay.ipv4} counter accept comment "relay"
  50   add rule inet filter forward iifname "${wg}" jump fwd-intra
  51 '';
  52 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  53 networking.wireguard.interfaces.${wg} = {
  54   ips = [ "${wireguard.${wg}.ipv4}/24" ];
  55   listenPort = wireguard.${wg}.listenPort;
  56   privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path;
  57   peers = lib.mapAttrsToList (peerName: host:
  58     host.extraArgs.wireguard.${wg}.peer //
  59     { inherit (wireguard.${wg}) persistentKeepalive; }
  60   ) peers;
  61 };
  62 networking.hosts = lib.mapAttrs' (peerName: peer: lib.nameValuePair
  63   peer.extraArgs.wireguard.${wg}.ipv4
  64   [ "${peerName}.wg" ]
  65   ) peers;
  66 services.upnpc.redirections = [
  67   { description = "WireGuard"; externalPort = wireguard.${wg}.listenPort; protocol = "UDP"; duration = 30 * 60;
  68     service.wantedBy = ["wireguard-${wg}.service"];
  69     service.partOf = ["wireguard-${wg}.service"];
  70   }
  71 ];
  72
  73 # Open a wireguard tunnel to a relay
  74 # in case the host is hosted behind a NAT and has no SSH port forwarding.
  75 # This enables to send the disk password to the initrd, like that:
  76 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
  77 boot.initrd.secrets."/root/initrd/${wg}.key" = "/root/initrd/${wg}.key";
  78 /*
  79 installer.ssh-nixos.script = ''
  80   # Send the wireguard key of the initrd
  81   gpg --decrypt '${gnupg.store}/wireguard/${wg}/privateKey.gpg' |
  82   ssh '${config.installer.ssh-nixos.target}' \
  83   install -D -m 400 -o root -g root /dev/stdin /root/initrd/${wg}.key
  84 '';
  85 */
  86 boot.initrd.kernelModules = [ "wireguard" ];
  87 boot.initrd.extraUtilsCommands = ''
  88   #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
  89   cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
  90 '';
  91 boot.initrd.network.postCommands = ''
  92   ip link add dev ${wg} type wireguard
  93   ip address add ${wireguard.${wg}.ipv4}/24 dev ${wg}
  94   wg set ${wg} private-key /root/initrd/${wg}.key \
  95      listen-port ${toString wireguard."${wg}".listenPort}
  96   ip link set up dev ${wg}
  97   wg set ${wg} peer ${relay.peer.publicKey} \
  98      endpoint ${hosts.mermet.extraArgs.ipv4}:${toString relay.listenPort} \
  99      allowed-ips ${relay.ipv4}/32 \
 100      persistent-keepalive 5
 101   ip route replace ${relay.ipv4}/32 dev ${wg} table main
 102 '';
 103 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
 104   ip link del dev ${wg}
 105 '';
 106 environment.systemPackages = [
 107   pkgs.natpunch-go
 108 ];
 109 }