hosts/losurdo/networking/wireguard/intranet.nix

   1 { pkgs, lib, config, inputs, ... }:
   2 let
   3   inherit (config.boot) initrd;
   4   iface = "wg-intra";
   5   wg = config.networking.wireguard.interfaces.${iface};
   6   wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
   7   relay = wg-intra-peers.mermet;
   8 in
   9 {
  10 imports = [
  11   (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
  12 ];
  13 networking.wireguard.${iface}.peers = {
  14   mermet.enable = true;
  15   oignon.enable = true;
  16   patate.enable = true;
  17   carotte.enable = true;
  18 };
  19 systemd.services."wireguard-${iface}" = {
  20   unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
  21 };
  22 networking.nftables.ruleset = ''
  23   # ${iface} firewalling
  24   #add rule  inet filter fw2intra counter accept
  25   add rule inet filter fw2intra counter accept
  26   ${lib.concatMapStringsSep "\n" (ip: ''
  27     add rule inet filter intra2fw ip saddr ${ip} counter accept comment "relay"
  28   '') relay.ips}
  29
  30   add chain inet filter fwd-intra
  31   #add rule  inet filter fwd-intra counter accept
  32   add rule  inet filter forward iifname "${iface}" jump fwd-intra
  33 '';
  34 # Apparently required to get NAT reflection.
  35 services.upnpc.redirections = [
  36   { description = "WireGuard"; externalPort = wg.listenPort; protocol = "UDP"; duration = 30 * 60;
  37     service.requiredBy = [ "wireguard-${iface}.service" ];
  38     service.before     = [ "wireguard-${iface}.service" ];
  39   }
  40 ];
  41 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  42
  43 # Open a wireguard tunnel to a relay
  44 # in case the host is hosted behind a NAT and has no SSH port forwarding.
  45 # This enables to send the disk password to the initrd, like that:
  46 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
  47 boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key";
  48 boot.initrd.kernelModules = [ "wireguard" ];
  49 boot.initrd.extraUtilsCommands = ''
  50   #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
  51   cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
  52 '';
  53 boot.initrd.network.postCommands = ''
  54   ip link add dev ${iface} type wireguard
  55   ${lib.concatMapStringsSep "\n" (ip: ''
  56     ip address add ${ip} dev ${iface}
  57   '') wg.ips}
  58   wg set ${iface} private-key /root/initrd/${iface}.key \
  59      listen-port ${toString wg.listenPort}
  60   ip link set up dev ${iface} mtu 1280
  61   wg set ${iface} peer ${relay.peer.publicKey} \
  62      endpoint ${relay.ipv4}:${toString relay.listenPort} \
  63      allowed-ips ${relay.ipv4}/32 \
  64      persistent-keepalive 5
  65   ip route replace ${relay.ipv4}/32 dev ${iface} table main
  66 '';
  67 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
  68   ip link del dev ${iface}
  69 '';
  70 }