1 { pkgs, lib, config, inputs, ... }:
3 inherit (config.boot) initrd;
5 wg = config.networking.wireguard.interfaces.${iface};
6 wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
7 relay = wg-intra-peers.mermet;
11 (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
13 networking.wireguard.${iface}.peers = {
17 carotte.enable = true;
19 systemd.services."wireguard-${iface}" = {
20 unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
22 networking.nftables.ruleset = ''
23 # ${iface} firewalling
24 #add rule inet filter fw2intra counter accept
25 add rule inet filter fw2intra counter accept
26 ${lib.concatMapStringsSep "\n" (ip: ''
27 add rule inet filter intra2fw ip saddr ${ip} counter accept comment "relay"
30 add chain inet filter fwd-intra
31 #add rule inet filter fwd-intra counter accept
32 add rule inet filter forward iifname "${iface}" jump fwd-intra
34 # Apparently required to get NAT reflection.
35 services.upnpc.redirections = [
36 { description = "WireGuard"; externalPort = wg.listenPort; protocol = "UDP"; duration = 30 * 60;
37 service.requiredBy = [ "wireguard-${iface}.service" ];
38 service.before = [ "wireguard-${iface}.service" ];
41 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
43 # Open a wireguard tunnel to a relay
44 # in case the host is hosted behind a NAT and has no SSH port forwarding.
45 # This enables to send the disk password to the initrd, like that:
46 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
47 boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key";
48 boot.initrd.kernelModules = [ "wireguard" ];
49 boot.initrd.extraUtilsCommands = ''
50 #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
51 cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
53 boot.initrd.network.postCommands = ''
54 ip link add dev ${iface} type wireguard
55 ${lib.concatMapStringsSep "\n" (ip: ''
56 ip address add ${ip} dev ${iface}
58 wg set ${iface} private-key /root/initrd/${iface}.key \
59 listen-port ${toString wg.listenPort}
60 ip link set up dev ${iface} mtu 1280
61 wg set ${iface} peer ${relay.peer.publicKey} \
62 endpoint ${relay.ipv4}:${toString relay.listenPort} \
63 allowed-ips ${relay.ipv4}/32 \
64 persistent-keepalive 5
65 ip route replace ${relay.ipv4}/32 dev ${iface} table main
67 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
68 ip link del dev ${iface}