hosts/mermet/networking/wireguard.nix

   1 { pkgs, lib, config, hosts, hostName, wireguard, ... }:
   2 let
   3   inherit (config.security.gnupg) secrets;
   4   iface = "wg-intra";
   5   wg = config.networking.wireguard.interfaces.${iface};
   6 in
   7 {
   8 imports = [
   9   ../../../networking/wireguard/wg-intra.nix
  10 ];
  11 config = {
  12 networking.wireguard.interfaces.${iface} = {
  13   privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
  14 };
  15 security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
  16 systemd.services."wireguard-${iface}" = {
  17   after    = [ secrets."wireguard/${iface}/privateKey".service ];
  18   requires = [ secrets."wireguard/${iface}/privateKey".service ];
  19 };
  20 networking.nftables.ruleset = ''
  21   # Allow peers to initiate connection for ${iface}
  22   add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
  23
  24   # Hook ${iface} into relevant chains
  25   add rule inet filter input  iifname "${iface}" jump intra2fw
  26   add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
  27   add rule inet filter output oifname "${iface}" jump fw2intra
  28   add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
  29
  30   # ${iface} firewalling
  31   add rule inet filter fw2intra counter accept
  32   add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.port} counter accept comment "WireGuard peers announcing"
  33   add rule inet filter intra2fw ip saddr 192.168.42.2 counter accept comment "losurdo"
  34 '';
  35 };
  36 }