{ pkgs, lib, config, hosts, hostName, wireguard, ... }:
let
- inherit (builtins) hasAttr removeAttrs;
inherit (config.security.gnupg) secrets;
- wg = "wg-intra";
- peers = lib.filterAttrs (peerName: host:
- hasAttr wg host.extraArgs.wireguard
- ) (removeAttrs hosts [hostName]) // {
- "oignon".extraArgs.wireguard.${wg} = rec {
- ipv4 = "192.168.42.3";
- peer = {
- publicKey = "tE4fzqDrr7BgfOo9tWgGnpu3v0JRDEUZbJnm9e2F/GA=";
- allowedIPs = [ "${ipv4}/32" ];
- };
- };
- };
+ iface = "wg-intra";
+ wg = config.networking.wireguard.interfaces.${iface};
in
{
-security.gnupg.secrets."wireguard/${wg}/privateKey" = {};
-systemd.services."wireguard-${wg}" = {
- after = [ secrets."wireguard/${wg}/privateKey".service ];
- requires = [ secrets."wireguard/${wg}/privateKey".service ];
+imports = [
+ ../../../networking/wireguard/wg-intra.nix
+];
+config = {
+networking.wireguard.interfaces.${iface} = {
+ privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
+};
+security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
+systemd.services."wireguard-${iface}" = {
+ after = [ secrets."wireguard/${iface}/privateKey".service ];
+ requires = [ secrets."wireguard/${iface}/privateKey".service ];
};
networking.nftables.ruleset = ''
- # Allow peers to initiate connection for ${wg}
- add rule inet filter net2fw udp dport ${toString wireguard.${wg}.listenPort} counter accept comment "${wg}"
+ # Allow peers to initiate connection for ${iface}
+ add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
- # Hook ${wg} into relevant chains
- add rule inet filter input iifname "${wg}" jump intra2fw
- add rule inet filter input iifname "${wg}" log level warn prefix "intra2fw: " counter drop
- add rule inet filter output oifname "${wg}" jump fw2intra
- add rule inet filter output oifname "${wg}" log level warn prefix "fw2intra: " counter drop
+ # Hook ${iface} into relevant chains
+ add rule inet filter input iifname "${iface}" jump intra2fw
+ add rule inet filter input iifname "${iface}" log level warn prefix "intra2fw: " counter drop
+ add rule inet filter output oifname "${iface}" jump fw2intra
+ add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
- # ${wg} firewalling
+ # ${iface} firewalling
add rule inet filter fw2intra counter accept
- add rule inet filter intra2fw ip saddr ${hosts.losurdo.extraArgs.wireguard.${wg}.ipv4} counter accept comment "losurdo"
+ add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
+ add rule inet filter intra2fw ip saddr 192.168.42.2 counter accept comment "losurdo"
'';
-networking.wireguard.interfaces.${wg} = {
- ips = [ "${wireguard.${wg}.ipv4}/24" ];
- listenPort = wireguard.${wg}.listenPort;
- privateKeyFile = secrets."wireguard/${wg}/privateKey".path;
- peers = lib.mapAttrsToList (peerName: host: host.extraArgs.wireguard.${wg}.peer) peers;
};
-networking.hosts = lib.mapAttrs' (hostName: host: lib.nameValuePair
- host.extraArgs.wireguard.${wg}.ipv4
- [ "${hostName}.wg" ]
- ) peers;
-environment.systemPackages = [
- pkgs.natpunch-go
-];
}
sourcephile / git / sourcephile-nix.git / blobdiff