sourcephile / git / sourcephile-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
mermet: knot: remove covid19.sourcephile.fr
[sourcephile-nix.git] / hosts / mermet / networking / wireguard.nix
diff --git a/hosts/mermet/networking/wireguard.nix b/hosts/mermet/networking/wireguard.nix
index b917ffb8267241a511266d743e53d3dccbc22bd7..54d479e2a534d710486476ac557f9bf264a552ae 100644 (file)
--- a/hosts/mermet/networking/wireguard.nix
+++ b/hosts/mermet/networking/wireguard.nix
@@ -1,37 +1,30 @@
-{ pkgs, lib, config, hostName, wireguard, ... }:
+{ config, inputs, ... }:
 let
-  inherit (config.security.gnupg) secrets;
-  iface = "wg-intra";
-  wg = config.networking.wireguard.interfaces.${iface};
-  wg-intra-hosts = import ../../../networking/wireguard/wg-intra/hosts.nix;
+  wgIface = "wg-intra";
 in
 {
-imports = [
-  ../../../networking/wireguard/wg-intra.nix
-];
-config = {
-networking.wireguard.interfaces.${iface} = {
-  privateKeyFile = secrets."wireguard/${iface}/privateKey".path;
-};
-security.gnupg.secrets."wireguard/${iface}/privateKey" = {};
-systemd.services."wireguard-${iface}" = {
-  after    = [ secrets."wireguard/${iface}/privateKey".service ];
-  requires = [ secrets."wireguard/${iface}/privateKey".service ];
-};
-networking.nftables.ruleset = ''
-  # Allow peers to initiate connection for ${iface}
-  add rule inet filter net2fw udp dport ${toString wg.listenPort} counter accept comment "${iface}"
-
-  # Hook ${iface} into relevant chains
-  add rule inet filter input  iifname "${iface}" jump intra2fw
-  add rule inet filter input  iifname "${iface}" log level warn prefix "intra2fw: " counter drop
-  add rule inet filter output oifname "${iface}" jump fw2intra
-  add rule inet filter output oifname "${iface}" log level warn prefix "fw2intra: " counter drop
-
-  # ${iface} firewalling
-  add rule inet filter fw2intra counter accept
-  add rule inet filter intra2fw tcp dport ${toString wg.peersAnnouncing.listenPort} counter accept comment "WireGuard peers announcing"
-  add rule inet filter intra2fw ip saddr ${wg-intra-hosts.losurdo.ipv4} counter accept comment "losurdo"
-'';
-};
+  imports = [
+    (inputs.julm-nix + "/nixos/profiles/wireguard/${wgIface}.nix")
+  ];
+  config = {
+    networking.wireguard.${wgIface}.peers = {
+      aubergine.enable = true;
+      losurdo.enable = true;
+      oignon.enable = true;
+      patate.enable = true;
+    };
+    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input-intra {
+          tcp dport ssh counter accept comment "SSH"
+          udp dport 60000-60100 counter accept comment "Mosh"
+        }
+        chain output-intra {
+          tcp dport ssh counter accept comment "SSH"
+          udp dport 60000-60100 counter accept comment "Mosh"
+          counter accept
+        }
+      }
+    '';
+  };
 }
NixOS configurations for Sourcephile's infrastructure