# Open a wireguard tunnel to a relay
# in case the host is hosted behind a NAT and has no SSH port forwarding.
# This enables to send the disk password to the initrd, like that:
- # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
+ # ssh -J mermet.wg root@losurdo.wg -p 2222
# TODO: use a dedicated interface wg-initrd
boot.initrd.secrets."/root/initrd/${wgIface}.key" = "/run/credentials/wireguard-${wgIface}.service/privateKey";
boot.initrd.kernelModules = [ "wireguard" ];
- boot.initrd.extraUtilsCommands = ''
- #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
- cp -fpdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
- '';
- boot.initrd.network.postCommands = ''
- ip link add dev ${wgIface} type wireguard
- ${lib.concatMapStringsSep "\n" (ip: ''
- ip address add ${ip} dev ${wgIface}
- '') wg.ips}
- wg set ${wgIface} private-key /root/initrd/${wgIface}.key \
- listen-port ${toString wg.listenPort}
- ip link set up dev ${wgIface} mtu 1280
- wg set ${wgIface} peer ${relay.peer.publicKey} \
- endpoint ${relay.ipv4}:${toString relay.listenPort} \
- allowed-ips ${relay.ipv4}/32 \
- persistent-keepalive 5
- ip route replace ${relay.ipv4}/32 dev ${wgIface} table main
- '';
- boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
- ip link del dev ${wgIface}
- '';
+ systemd.network = {
+ netdevs = {
+ "50-${wgIface}" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = wgIface;
+ MTUBytes = "1280";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = "/root/initrd/${wgIface}.key";
+ ListenPort = wg.listenPort;
+ };
+ wireguardPeers = [
+ {
+ wireguardPeerConfig = {
+ PublicKey = relay.peer.publicKey;
+ AllowedIPs = [ "${relay.ipv4}/32" ];
+ PersistentKeepalive = 5;
+ };
+ }
+ ];
+ };
+ };
+ networks.wgIface = {
+ name = wgIface;
+ address = wg.ips;
+ };
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff