mermet: knot: use builtins.path

[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-extra.nix

diff --git a/hosts/losurdo/wireguard/wg-extra.nix b/hosts/losurdo/wireguard/wg-extra.nix
index 7a8b33f9b1bae82c52e79c7658bac3008659071b..17725fa7780e0ddb9460525bf49e87af5c01595b 100644 (file)
--- a/hosts/losurdo/wireguard/wg-extra.nix
+++ b/hosts/losurdo/wireguard/wg-extra.nix
@@ -1,60 +1,64 @@
-{ pkgs, lib, config, inputs, hosts, hostName, ... }:
+{ inputs, hostName, ... }:
 let
   wgIface = "wg-extra";
   listenPort = 16843;
 in
 {
-networking.nftables.ruleset = ''
-  table inet filter {
-    chain input-net {
-      udp dport ${toString listenPort} counter accept comment "${wgIface}"
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-net {
+        udp dport ${toString listenPort} counter accept comment "${wgIface}"
+      }
+      chain input-extra {
+        counter accept
+      }
+      chain input {
+        iifname ${wgIface} jump input-extra
+        iifname ${wgIface} log level warn prefix "input-extra: " counter drop
+      }
+      chain output-net {
+      }
+      chain output-extra {
+        counter accept
+      }
+      chain output {
+        oifname ${wgIface} jump output-extra
+        oifname ${wgIface} log level warn prefix "output-extra: " counter drop
+      }
+      chain forward {
+        # forward
+        iifname ${wgIface} counter accept
+      }
     }
-    chain input-extra {
-      counter accept
-    }
-    chain input {
-      iifname ${wgIface} jump input-extra
-      iifname ${wgIface} log level warn prefix "input-extra: " counter drop
-    }
-    chain output-net {
-    }
-    chain output-extra {
-      counter accept
-    }
-    chain output {
-      oifname ${wgIface} jump output-extra
-      oifname ${wgIface} log level warn prefix "output-extra: " counter drop
-    }
-    chain forward {
-      # forward
-      iifname ${wgIface} counter accept
-    }
-  }
-'';
-#boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted =
-  [ "privateKey:${inputs.self}/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred" ];
-networking.wireguard.interfaces.${wgIface} = {
-  # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
-  privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
-  ips = [ "192.168.43.1/32" ];
-  inherit listenPort;
-  socketNamespace = null;
-  /*
-  interfaceNamespace = "extra";
-  preSetup = ''
-    ${pkgs.iproute}/bin/ip netns add extra
   '';
-  */
-  peers = [
-    { # julm-laptop
-      publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
-      allowedIPs = [ "192.168.43.2/32" ];
-    }
-    { # julm-mobile
-      publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
-      allowedIPs = [ "192.168.43.3/32" ];
-    }
+  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = [
+    "privateKey:${./. + "/${wgIface}/privateKey.cred"}"
   ];
-};
+  networking.networkmanager.unmanaged = [ wgIface ];
+  networking.wireguard.interfaces.${wgIface} = {
+    # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
+    privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
+    ips = [ "192.168.43.1/32" ];
+    inherit listenPort;
+    socketNamespace = null;
+    /*
+      interfaceNamespace = "extra";
+      preSetup = ''
+      ${pkgs.iproute}/bin/ip netns add extra
+      '';
+    */
+    peers = [
+      {
+        # julm-laptop
+        publicKey = "Ul1+GINJ/eXy7MhUQLB6wXboLUfKW32nwHd/IAGtwSk=";
+        allowedIPs = [ "192.168.43.2/32" ];
+      }
+      {
+        # julm-mobile
+        publicKey = "7hdI8aInfxFG0Ua1jHMDmx1RezI1q1PObFx6Kp2g5iI=";
+        allowedIPs = [ "192.168.43.3/32" ];
+      }
+    ];
+  };
 }