mermet: nginx: remove old sites

[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-intra.nix
diff --git a/hosts/losurdo/wireguard/wg-intra.nix b/hosts/losurdo/wireguard/wg-intra.nix

index afd4518a99ca56bfbd90c37d99b510a042e3190a..581a14e0ade05c1fbc791f77126f3666ea62e356 100644 (file)
--- a/hosts/losurdo/wireguard/wg-intra.nix
+++ b/hosts/losurdo/wireguard/wg-intra.nix
@@ -1,96 +1,69 @@
-{ pkgs, lib, config, inputs, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
  let
    inherit (config.boot) initrd;
    wgIface = "wg-intra";
-  wg = config.networking.wireguard.interfaces.${wgIface};
-  wg-intra-peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra/peers.nix");
-  relay = wg-intra-peers.mermet;
+  peers = import (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}/peers.nix");
  in
  {
-  imports = [
-    (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
-  ];
-  systemd.services."wireguard-${wgIface}" = {
-    serviceConfig = {
-      LoadCredentialEncrypted = [ "privateKey:${./. + "/${wgIface}/privateKey.cred"}" ];
-    };
-    unitConfig = {
-      Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
-    };
-  };
-  networking.wireguard.${wgIface}.peers = {
-    mermet.enable = true;
-    oignon.enable = true;
-    patate.enable = true;
-    carotte.enable = true;
-    aubergine.enable = true;
-  };
-  networking.nftables.ruleset = ''
-    table inet filter {
-      chain input-intra {
-        tcp dport ssh counter accept comment "SSH"
-        udp dport 60000-61000 counter accept comment "Mosh"
-      }
-      chain output-intra {
-        tcp dport { ssh, 2222 } counter accept comment "SSH"
-        udp dport 60001-60010 counter accept comment "Mosh"
-        tcp dport { http, https } counter accept comment "HTTP"
-        tcp dport git counter accept comment "Git"
-      }
-    }
-    table inet nat {
-      chain postrouting {
-        iifname ${wgIface} oifname netIface masquerade
-      }
-    }
-  '';
-  # Apparently required to get NAT reflection.
-  services.upnpc.enable = true;
-  services.upnpc.redirections = [
-    {
-      description = "WireGuard";
-      externalPort = wg.listenPort;
-      protocol = "UDP";
-      duration = 30 * 60;
-      service.requiredBy = [ "wireguard-${wgIface}.service" ];
-      service.before = [ "wireguard-${wgIface}.service" ];
-    }
-  ];
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
    # Open a wireguard tunnel to a relay
    # in case the host is hosted behind a NAT and has no SSH port forwarding.
    # This enables to send the disk password to the initrd, like that:
-  # ssh -J mermet.wg root@losurdo.wg -p 2222
+  # ssh -J mermet.sp root@losurdo.sp -p 2222
    # TODO: use a dedicated interface wg-initrd
-  boot.initrd.secrets."/root/initrd/${wgIface}.key" = "/run/credentials/wireguard-${wgIface}.service/privateKey";
+  security.initrd.secrets."${hostName}/wireguard/${wgIface}/privateKey" =
+    "hosts/${hostName}/wireguard/${wgIface}/privateKey.gpg";
    boot.initrd.kernelModules = [ "wireguard" ];
-  systemd.network = {
-    netdevs = {
-      "50-${wgIface}" = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = wgIface;
-          MTUBytes = "1280";
+  boot.initrd.network.flushBeforeStage2 = true;
+  boot.initrd.systemd = {
+    initrdBin = [
+      pkgs.iproute2
+      pkgs.iputils
+      pkgs.wireguard-tools
+    ];
+    services.systemd-networkd = {
+      serviceConfig.LoadCredential = [ "${wgIface}.key:${config.security.initrd.stage1Dir}/${hostName}/wireguard/${wgIface}/privateKey" ];
+    };
+    network = {
+      netdevs = {
+        "50-${wgIface}" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = wgIface;
+            MTUBytes = "1280";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = "/run/credentials/systemd-networkd.service/${wgIface}.key";
+            ListenPort = peers.${hostName}.listenPort;
+          };
+          wireguardPeers = [
+            {
+              wireguardPeerConfig = with peers.mermet.peer; {
+                AllowedIPs = allowedIPs;
+                Endpoint = endpoint;
+                PersistentKeepalive = peers.${hostName}.persistentKeepalive;
+                PublicKey = publicKey;
+              };
+            }
+            {
+              wireguardPeerConfig = with peers.oignon.peer; {
+                AllowedIPs = allowedIPs;
+                PersistentKeepalive = peers.${hostName}.persistentKeepalive;
+                PublicKey = publicKey;
+              };
+            }
+          ];
          };
-        wireguardConfig = {
-          PrivateKeyFile = "/root/initrd/${wgIface}.key";
-          ListenPort = wg.listenPort;
+      };
+      networks.${wgIface} = {
+        name = wgIface;
+        address = peers.${hostName}.ips;
+        /*
+        networkConfig = {
+          IPMasquerade = "ipv4";
+          IPForward = true;
          };
-        wireguardPeers = [
-          {
-            wireguardPeerConfig = {
-              PublicKey = relay.peer.publicKey;
-              AllowedIPs = [ "${relay.ipv4}/32" ];
-              PersistentKeepalive = 5;
-            };
-          }
-        ];
+        */
        };
      };
-    networks.wgIface = {
-      name = wgIface;
-      address = wg.ips;
-    };
    };
  }