{ pkgs, lib, config, inputs, hostName, ... }:
let
inherit (config.boot) initrd;
wgIface = "wg-intra";
peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}/peers.nix");
in
{
# Open a wireguard tunnel to a relay
# in case the host is hosted behind a NAT and has no SSH port forwarding.
# This enables to send the disk password to the initrd, like that:
# ssh -J mermet.sp root@losurdo.sp -p 2222
# TODO: use a dedicated interface wg-initrd
security.initrd.secrets."${hostName}/wireguard/${wgIface}/privateKey" =
"hosts/${hostName}/wireguard/${wgIface}/privateKey.gpg";
boot.initrd.kernelModules = [ "wireguard" ];
boot.initrd.network.flushBeforeStage2 = true;
boot.initrd.systemd = {
initrdBin = [
pkgs.iproute2
pkgs.iputils
pkgs.wireguard-tools
];
services.systemd-networkd = {
serviceConfig.LoadCredential = [ "${wgIface}.key:${config.security.initrd.stage1Dir}/${hostName}/wireguard/${wgIface}/privateKey" ];
};
network = {
netdevs = {
"50-${wgIface}" = {
netdevConfig = {
Kind = "wireguard";
Name = wgIface;
MTUBytes = "1280";
};
wireguardConfig = {
PrivateKeyFile = "/run/credentials/systemd-networkd.service/${wgIface}.key";
ListenPort = peers.${hostName}.listenPort;
};
wireguardPeers = [
{
wireguardPeerConfig = with peers.mermet.peer; {
AllowedIPs = allowedIPs;
Endpoint = endpoint;
PersistentKeepalive = peers.${hostName}.persistentKeepalive;
PublicKey = publicKey;
};
}
{
wireguardPeerConfig = with peers.oignon.peer; {
AllowedIPs = allowedIPs;
PersistentKeepalive = peers.${hostName}.persistentKeepalive;
PublicKey = publicKey;
};
}
];
};
};
networks.${wgIface} = {
name = wgIface;
address = peers.${hostName}.ips;
/*
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
*/
};
};
};
}