]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/wireguard/intranet.nix
wireguard: clean up a bit
[sourcephile-nix.git] / hosts / losurdo / networking / wireguard / intranet.nix
1 { pkgs, lib, config, hosts, hostName, wireguard, ... }:
2 let
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security) gnupg;
5 inherit (config.boot) initrd;
6 wg = "wg-intra";
7 relay = hosts.mermet.extraArgs.wireguard.${wg};
8 peers = lib.filterAttrs (peerName: host:
9 hasAttr "${wg}" host.extraArgs.wireguard
10 ) (removeAttrs hosts [hostName]) // {
11 "oignon".extraArgs.wireguard.${wg} = rec {
12 ipv4 = "192.168.42.3";
13 peer = {
14 publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
15 allowedIPs = [ "${ipv4}/32" ];
16 };
17 };
18 };
19 in
20 {
21 security.gnupg.secrets."wireguard/${wg}/privateKey" = {
22 /*
23 systemdConfig.serviceConfig = {
24 before = [ "wireguard-${wg}.service" ];
25 wantedBy = [ "wireguard-${wg}.service" ];
26 requiredBy = [ "wireguard-${wg}.service" ];
27 };
28 */
29 };
30 systemd.services."wireguard-${wg}" = {
31 after = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
32 requires = [ gnupg.secrets."wireguard/${wg}/privateKey".service ];
33 };
34 networking.nftables.ruleset = ''
35 # Allow initiating connection for ${wg}
36 add rule inet filter fw2net ip daddr ${hosts.mermet.extraArgs.ipv4} udp dport ${toString relay.listenPort} counter accept comment "${wg}"
37 #add rule inet filter fw2net udp sport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
38 # Allow peers to initiate connection for ${wg}
39 add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
40
41 # Hook ${wg} into relevant chains
42 add rule inet filter input iifname "${wg}" jump intra2fw
43 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
44 add rule inet filter output oifname "${wg}" jump fw2intra
45 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
46
47 # ${wg} firewalling
48 add rule inet filter fw2intra counter accept
49 add rule inet filter intra2fw ip saddr ${relay.ipv4} counter accept comment "relay"
50 add rule inet filter forward iifname "${wg}" jump fwd-intra
51 '';
52 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
53 networking.wireguard.interfaces.${wg} = {
54 ips = [ "${wireguard.${wg}.ipv4}/24" ];
55 listenPort = wireguard.${wg}.listenPort;
56 privateKeyFile = gnupg.secrets."wireguard/${wg}/privateKey".path;
57 peers = lib.mapAttrsToList (peerName: host:
58 host.extraArgs.wireguard.${wg}.peer //
59 { inherit (wireguard.${wg}) persistentKeepalive; }
60 ) peers;
61 };
62 networking.hosts = lib.mapAttrs' (peerName: peer: lib.nameValuePair
63 peer.extraArgs.wireguard.${wg}.ipv4
64 [ "${peerName}.wg" ]
65 ) peers;
66 services.upnpc.redirections = [
67 { description = "WireGuard"; externalPort = wireguard.${wg}.listenPort; protocol = "UDP"; duration = 30 * 60;
68 service.wantedBy = ["wireguard-${wg}.service"];
69 service.partOf = ["wireguard-${wg}.service"];
70 }
71 ];
72
73 # Open a wireguard tunnel to a relay
74 # in case the host is hosted behind a NAT and has no SSH port forwarding.
75 # This enables to send the disk password to the initrd, like that:
76 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
77 boot.initrd.secrets."/root/initrd/${wg}.key" = "/root/initrd/${wg}.key";
78 /*
79 installer.ssh-nixos.script = ''
80 # Send the wireguard key of the initrd
81 gpg --decrypt '${gnupg.store}/wireguard/${wg}/privateKey.gpg' |
82 ssh '${config.installer.ssh-nixos.target}' \
83 install -D -m 400 -o root -g root /dev/stdin /root/initrd/${wg}.key
84 '';
85 */
86 boot.initrd.kernelModules = [ "wireguard" ];
87 boot.initrd.extraUtilsCommands = ''
88 #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
89 cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
90 '';
91 boot.initrd.network.postCommands = ''
92 ip link add dev ${wg} type wireguard
93 ip address add ${wireguard.${wg}.ipv4}/24 dev ${wg}
94 wg set ${wg} private-key /root/initrd/${wg}.key \
95 listen-port ${toString wireguard."${wg}".listenPort}
96 ip link set up dev ${wg}
97 wg set ${wg} peer ${relay.peer.publicKey} \
98 endpoint ${hosts.mermet.extraArgs.ipv4}:${toString relay.listenPort} \
99 allowed-ips ${relay.ipv4}/32 \
100 persistent-keepalive 5
101 ip route replace ${relay.ipv4}/32 dev ${wg} table main
102 '';
103 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
104 ip link del dev ${wg}
105 '';
106 environment.systemPackages = [
107 pkgs.natpunch-go
108 ];
109 }