losurdo: creds: fix paths and other stuffs

[sourcephile-nix.git] / hosts / mermet / networking / wireguard.nix

diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/networking/wireguard.nix
index 74e48f3f9182424c628427a8d8d7cad7db82dea1..f003056b6cf88575e9d2a37226c28d9b2f323385 100644 (file)
--- a/hosts/mermet/networking/wireguard.nix
+++ b/hosts/mermet/networking/wireguard.nix
@@ -1,34 +1,30 @@
-{ pkgs, lib, config, hostName, inputs, ... }:
+{ pkgs, lib, config, inputs, ... }:
 let
-  inherit (config.security.gnupg) secrets;
-  iface = "wg-intra";
-  wg = config.networking.wireguard.interfaces.${iface};
-  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
+  wgIface = "wg-intra";
 in
 {
 imports = [
-  (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
+  (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
 ];
 config = {
-networking.wireguard.${iface}.peers = {
+networking.wireguard.${wgIface}.peers = {
+  aubergine.enable = true;
   losurdo.enable = true;
   oignon.enable = true;
   patate.enable = true;
 };
 networking.nftables.ruleset = ''
-  # Allow peers to initiate connection for ${iface}
-  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
-
-  # Hook ${iface} into relevant chains
-  add rule inet filter input  iifname "${iface}" jump intra2fw
-  add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
-  add rule inet filter output oifname "${iface}" jump fw2intra
-  add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
-
-  # ${iface} firewalling
-  add rule inet filter fw2intra counter accept
-  add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
-  add rule inet filter intra2fw ip saddr ${wg-intra-peers.losurdo.ipv4} counter accept comment "losurdo"
+  table inet filter {
+    chain input-intra {
+      tcp dport ssh counter accept comment "SSH"
+      udp dport 60000-60100 counter accept comment "Mosh"
+    }
+    chain output-intra {
+      tcp dport ssh counter accept comment "SSH"
+      udp dport 60000-60100 counter accept comment "Mosh"
+      counter accept
+    }
+  }
 '';
 };
 }