-{ pkgs, lib, config, hosts, inputs, ... }:
+{ pkgs, lib, config, inputs, ... }:
let
inherit (config.security) gnupg;
inherit (config.boot) initrd;
iface = "wg-intra";
wg = config.networking.wireguard.interfaces.${iface};
- wg-intra-hosts = import (inputs.julm-nix + "/networking/wireguard/wg-intra/hosts.nix");
- relay = wg-intra-hosts.mermet;
+ wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
+ relay = wg-intra-peers.mermet;
in
{
imports = [
- (inputs.julm-nix + "/networking/wireguard/wg-intra.nix")
+ (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
];
+networking.wireguard.${iface}.peers = {
+ mermet.enable = true;
+ oignon.enable = true;
+ patate.enable = true;
+ carotte.enable = true;
+};
networking.wireguard.interfaces.${iface} = {
privateKeyFile = gnupg.secrets."wireguard/${iface}/privateKey".path;
};
# This enables to send the disk password to the initrd, like that:
# ssh -J mermet.sourcephile.fr root@losurdo.wg -p 2222
boot.initrd.secrets."/root/initrd/${iface}.key" = "/root/initrd/${iface}.key";
-/*
-installer.ssh-nixos.script = ''
- # Send the wireguard key of the initrd
- gpg --decrypt '${gnupg.store}/wireguard/${iface}/privateKey.gpg' |
- ssh '${config.installer.ssh-nixos.target}' \
- install -D -m 400 -o root -g root /dev/stdin /root/initrd/${iface}.key
-'';
-*/
boot.initrd.kernelModules = [ "wireguard" ];
boot.initrd.extraUtilsCommands = ''
#copy_bin_and_libs ${pkgs.wireguard-tools}/bin/wg
'') wg.ips}
wg set ${iface} private-key /root/initrd/${iface}.key \
listen-port ${toString wg.listenPort}
- ip link set up dev ${iface}
+ ip link set up dev ${iface} mtu 1280
wg set ${iface} peer ${relay.peer.publicKey} \
endpoint ${relay.ipv4}:${toString relay.listenPort} \
allowed-ips ${relay.ipv4}/32 \
sourcephile / git / sourcephile-nix.git / blobdiff