]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/networking/wireguard.nix
nftables: harden input checks on losurdo
[sourcephile-nix.git] / machines / mermet / networking / wireguard.nix
1 { pkgs, lib, config, machines, machineName, wireguard, ... }:
2 let
3 inherit (builtins) hasAttr removeAttrs;
4 inherit (config.security.gnupg) secrets;
5 wg = "wg-intranet";
6 peers = lib.filterAttrs (peerName: machine:
7 hasAttr "${wg}" machine.extraArgs.wireguard
8 ) (removeAttrs machines [machineName]);
9 in
10 {
11 security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
12 systemd.services."wireguard-${wg}" = {
13 after = [ secrets."wireguard/${wg}/privateKey".service ];
14 requires = [ secrets."wireguard/${wg}/privateKey".service ];
15 };
16 networking.nftables.ruleset = ''
17 # Allow peers to initiate connection for ${wg}
18 add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
19
20 # Hook ${wg} into relevant chains
21 add rule inet filter input iifname "${wg}" jump intra2fw
22 add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
23 add rule inet filter output oifname "${wg}" jump fw2intra
24 add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
25
26 # ${wg} firewalling
27 add rule inet filter fw2intra counter accept
28 add rule inet filter intra2fw ip saddr ${machines.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo"
29 '';
30 networking.wireguard.interfaces."${wg}" = {
31 ips = [ "${wireguard."${wg}".ipv4}/24" ];
32 listenPort = wireguard."${wg}".listenPort;
33 privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
34 peers = lib.mapAttrsToList (peerName: machine: machine.extraArgs.wireguard."${wg}".peer) peers;
35 };
36 networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair
37 machine.extraArgs.wireguard."${wg}".ipv4
38 [ "${machineName}.intranet" ]
39 ) peers;
40 }