{ pkgs, lib, config, machines, machineName, wireguard, ... }: let inherit (builtins) hasAttr removeAttrs; inherit (config.security.gnupg) secrets; wg = "wg-intranet"; peers = lib.filterAttrs (peerName: machine: hasAttr "${wg}" machine.extraArgs.wireguard ) (removeAttrs machines [machineName]); in { security.gnupg.secrets."wireguard/${wg}/privateKey" = {}; systemd.services."wireguard-${wg}" = { after = [ secrets."wireguard/${wg}/privateKey".service ]; requires = [ secrets."wireguard/${wg}/privateKey".service ]; }; networking.nftables.ruleset = '' # Allow output connection of ${wg} add rule inet filter fw2net udp dport ${toString machines.mermet.config.networking.wireguard.interfaces."${wg}".listenPort} counter accept comment "${wg}" # Hook ${wg} to input and output chains add rule inet filter input iifname "${wg}" jump intra2fw add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop add rule inet filter output oifname "${wg}" jump fw2intra add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop # ${wg} firewalling add rule inet filter fw2intra counter accept add rule inet filter intra2fw ip saddr ${machines.mermet.extraArgs.wireguard."${wg}".ipv4} counter accept comment "mermet" ''; networking.wireguard.interfaces."${wg}" = { ips = [ "${wireguard."${wg}".ipv4}/24" ]; listenPort = 43642; privateKeyFile = secrets."wireguard/${wg}/privateKey".path; peers = lib.mapAttrsToList (peerName: machine: let peer = machine.config.networking.wireguard.interfaces."${wg}"; in lib.recursiveUpdate { allowedIPs = ["${machine.extraArgs.wireguard."${wg}".ipv4}/32"]; endpoint = "${machine.extraArgs.ipv4}:${toString peer.listenPort}"; persistentKeepalive = 25; } machine.extraArgs.wireguard."${wg}".peer ) peers; }; networking.hosts = lib.mapAttrs' (machineName: machine: lib.nameValuePair machine.extraArgs.wireguard."${wg}".ipv4 [ "${machineName}.intranet" ] ) peers; }