]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking/wireguard.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
wireguard: clean up a bit
[sourcephile-nix.git] / hosts / mermet / networking / wireguard.nix
1 { pkgs, lib, config, hosts, hostName, wireguard, ... }:
2 let
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security.gnupg) secrets;
5 wg = "wg-intra";
6 peers = lib.filterAttrs (peerName: host:
7 hasAttr wg host.extraArgs.wireguard
8 ) (removeAttrs hosts [hostName]) // {
9 "oignon".extraArgs.wireguard.${wg} = rec {
10 ipv4 = "192.168.42.3";
11 peer = {
12 publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
13 allowedIPs = [ "${ipv4}/32" ];
14 };
15 };
16 };
17 in
18 {
19 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
20 systemd.services."wireguard-${wg}" = {
21 after = [ secrets."wireguard/${wg}/privateKey".service ];
22 requires = [ secrets."wireguard/${wg}/privateKey".service ];
23 };
24 networking.nftables.ruleset = ''
25 # Allow peers to initiate connection for ${wg}
26 add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
27
28 # Hook ${wg} into relevant chains
29 add rule inet filter input iifname "${wg}" jump intra2fw
30 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
31 add rule inet filter output oifname "${wg}" jump fw2intra
32 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
33
34 # ${wg} firewalling
35 add rule inet filter fw2intra counter accept
36 add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard.${wg}.ipv4} counter accept comment "losurdo"
37 '';
38 networking.wireguard.interfaces.${wg} = {
39 ips = [ "${wireguard.${wg}.ipv4}/24" ];
40 listenPort = wireguard.${wg}.listenPort;
41 privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
42 peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard.${wg}.peer) peers;
43 };
44 networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair
45 host.extraArgs.wireguard.${wg}.ipv4
46 [ "${hostName}.wg" ]
47 ) peers;
48 environment.systemPackages = [
49 pkgs.natpunch-go
50 ];
51 }
NixOS configurations for Sourcephile's infrastructure