knot: fix preStart after hardening

[sourcephile-nix.git] / hosts / losurdo / networking / wireguard / intranet.nix

diff --git a/hosts/losurdo/networking/wireguard/intranet.nix b/hosts/losurdo/networking/wireguard/intranet.nix
index 300ea58827a3c389265b120b490205f0be71edbd..217eca24af9ff9f93dfe5e1f477ed007461d65f0 100644 (file)
--- a/hosts/losurdo/networking/wireguard/intranet.nix
+++ b/hosts/losurdo/networking/wireguard/intranet.nix
@@ -1,24 +1,21 @@
-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, ... }:
 let
-  inherit (builtins) hasAttr removeAttrs;
   inherit (config.security) gnupg;
   inherit (config.boot) initrd;
   iface = "wg-intra";
   wg = config.networking.wireguard.interfaces.${iface};
-  relay =
-    hosts.mermet.extraArgs //
-    hosts.mermet.config.networking.wireguard.interfaces.${iface} //
-    lib.head (lib.filter (peer:
-      peer.endpoint != null &&
-      builtins.match "^\(.*\):[0-9]*$" peer.endpoint ==
-        [hosts.mermet.extraArgs.ipv4])
-      wg.peers);
+  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
+  relay = wg-intra-peers.mermet;
 in
 {
 imports = [
-  ../../../../networking/wireguard/wg-intra.nix
+  (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
 ];
-config = {
+networking.wireguard.${iface}.peers = {
+  mermet.enable = true;
+  oignon.enable = true;
+  patate.enable = true;
+};
 networking.wireguard.interfaces.${iface} = {
   privateKeyFile = gnupg.secrets."wireguard/${iface}/privateKey".path;
 };
@@ -38,8 +35,8 @@ systemd.services."wireguard-${iface}" = {
 };
 networking.nftables.ruleset = ''
   # Allow initiating connection to and from other peers
-  add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "${iface} output to peers"
-  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface} input from peers"
+  add rule inet filter fw2net udp sport ${toString wg.listenPort} counter accept comment "WireGuard ${iface} output to peers"
+  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "WireGuard ${iface} input from peers"
 
   # Hook ${iface} into relevant chains
   add rule inet filter input  iifname "${iface}" jump intra2fw
@@ -68,14 +65,6 @@ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 # This enables to send the disk password to the initrd, like that:
 # ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
 boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key";
-/*
-installer.ssh-nixos.script = ''
-  # Send the wireguard key of the initrd
-  gpg --decrypt '${gnupg.store}/wireguard/${iface}/privateKey.gpg' |
-  ssh '${config.installer.ssh-nixos.target}' \
-  install -D -m 400 -o root -g root /dev/stdin /root/initrd/${iface}.key
-'';
-*/
 boot.initrd.kernelModules = [ "wireguard" ];
 boot.initrd.extraUtilsCommands = ''
   #copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
@@ -88,8 +77,8 @@ boot.initrd.network.postCommands = ''
   '') wg.ips}
   wg set ${iface} private-key /root/initrd/${iface}.key \
      listen-port ${toString wg.listenPort}
-  ip link set up dev ${iface}
-  wg set ${iface} peer ${relay.publicKey} \
+  ip link set up dev ${iface} mtu 1280
+  wg set ${iface} peer ${relay.peer.publicKey} \
      endpoint ${relay.ipv4}:${toString relay.listenPort} \
      allowed-ips ${relay.ipv4}/32 \
      persistent-keepalive 5
@@ -98,5 +87,4 @@ boot.initrd.network.postCommands = ''
 boot.initrd.postMountCommands = lib.mkIf initrd.network.flushBeforeStage2 ''
   ip link del dev ${iface}
 '';
-};
 }