losurdo: add creds

[sourcephile-nix.git] / hosts / mermet / networking / wireguard.nix

diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/networking/wireguard.nix
index 8684c7a3fc52d600ec3c3fd975a6d627b9e84e54..f003056b6cf88575e9d2a37226c28d9b2f323385 100644 (file)
--- a/hosts/mermet/networking/wireguard.nix
+++ b/hosts/mermet/networking/wireguard.nix
@@ -1,40 +1,30 @@
-{ pkgs, lib, config, hosts, hostName, wireguard, ... }:
+{ pkgs, lib, config, inputs, ... }:
 let
-  inherit (builtins) hasAttr removeAttrs;
-  inherit (config.security.gnupg) secrets;
-  wg = "wg-intra";
-  peers = lib.filterAttrs (peerName: host:
-    hasAttr "${wg}" host.extraArgs.wireguard
-    ) (removeAttrs hosts [hostName]);
+  wgIface = "wg-intra";
 in
 {
-security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
-systemd.services."wireguard-${wg}" = {
-  after    = [ secrets."wireguard/${wg}/privateKey".service ];
-  requires = [ secrets."wireguard/${wg}/privateKey".service ];
+imports = [
+  (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
+];
+config = {
+networking.wireguard.${wgIface}.peers = {
+  aubergine.enable = true;
+  losurdo.enable = true;
+  oignon.enable = true;
+  patate.enable = true;
 };
 networking.nftables.ruleset = ''
-  # Allow peers to initiate connection for ${wg}
-  add rule inet filter net2fw udp dport ${toString wireguard."${wg}".listenPort} counter accept comment "${wg}"
-
-  # Hook ${wg} into relevant chains
-  add rule inet filter input  iifname "${wg}" jump intra2fw
-  add rule inet filter input  iifname "${wg}" log level warn prefix "intra2fw: " counter drop
-  add rule inet filter output oifname "${wg}" jump fw2intra
-  add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
-
-  # ${wg} firewalling
-  add rule inet filter fw2intra counter accept
-  add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard."${wg}".ipv4} counter accept comment "losurdo"
+  table inet filter {
+    chain input-intra {
+      tcp dport ssh counter accept comment "SSH"
+      udp dport 60000-60100 counter accept comment "Mosh"
+    }
+    chain output-intra {
+      tcp dport ssh counter accept comment "SSH"
+      udp dport 60000-60100 counter accept comment "Mosh"
+      counter accept
+    }
+  }
 '';
-networking.wireguard.interfaces."${wg}" = {
-  ips = [ "${wireguard."${wg}".ipv4}/24" ];
-  listenPort = wireguard."${wg}".listenPort;
-  privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
-  peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard."${wg}".peer) peers;
 };
-networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair
-  host.extraArgs.wireguard."${wg}".ipv4
-  [ "${hostName}.intranet" ]
-  ) peers;
 }