Commit 557f12d88ea9

Vincent Demeester <vincent@sbr.pm>
2025-12-08 10:13:11
feat(network): add WireGuard MTU options and fix git GPG signing
- Add configurable MTU for WireGuard interfaces (default 1420 for server) - Fix WireGuard server MASQUERADE rule from /32 to /24 subnet - Make git GPG signing conditional on host (aomi, kyushu only) - Add SSH key configuration for aomi host Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 5a26904
Changed files (3)
home
common
shell
git.nix
modules
wireguard-client.nix
wireguard-server.nix
home/common/shell/git.nix
@@ -29,10 +29,15 @@ let
   ];
   sshkeyPerHost = {
     kyushu = "${pkgs.writeText "yubikey5-c1" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGHMa4rHuBbQQYv+8jvlkFCD2VYRGA4+5fnZAhLx8iDirzfEPqHB60UJWcDeixnJCUlpJjzFbS4crNOXhfCTCTE="}";
+    aomi = "${pkgs.writeText "aomi" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi"}";
   };
   defaultSSHKey = sshkeyPerHost.kyushu;
   getSSHKeyForHost =
     h: if builtins.hasAttr h sshkeyPerHost then sshkeyPerHost."${h}" else defaultSSHKey;
+  enableGpgSign = builtins.elem hostname [
+    "aomi"
+    "kyushu"
+  ];
 in
 {
   xdg.configFile."git/allowed_signers".text = '''';
@@ -103,10 +108,10 @@ in
         };
       };
       commit = {
-        gpgSign = true;
+        gpgSign = enableGpgSign;
       };
       tag = {
-        gpgSign = true;
+        gpgSign = enableGpgSign;
       };
       init = {
         defaultBranch = "main";
modules/wireguard-client.nix
@@ -49,6 +49,15 @@ in
           The peer (server) public key
         '';
       };
+      mtu = mkOption {
+        type = with types; nullOr int;
+        default = null;
+        description = ''
+          MTU size for the WireGuard interface.
+          Common values: 1420 (conservative), 1380 (for PPPoE).
+          If null, uses system default.
+        '';
+      };
     };
   };
   config = mkIf cfg.enable {
@@ -81,7 +90,8 @@ in
             persistentKeepalive = 25;
           }
         ];
-      };
+      }
+      // lib.optionalAttrs (cfg.mtu != null) { inherit (cfg) mtu; };
     };
   };
 }
modules/wireguard-server.nix
@@ -28,13 +28,22 @@ in
         description = "Peers linked to the interface.";
         type = with types; listOf anything;
       };
+      mtu = mkOption {
+        type = with types; nullOr int;
+        default = 1420;
+        description = ''
+          MTU size for the WireGuard interface.
+          Common values: 1420 (conservative), 1380 (for PPPoE).
+          If null, uses system default.
+        '';
+      };
     };
   };
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.wireguard-tools ];
     boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; # FIXME should probably be mkDefault
     networking.firewall.extraCommands = ''
-      iptables -t nat -A POSTROUTING -s10.100.0.0/32 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE
       iptables -A FORWARD -i wg+ -j ACCEPT
     '';
     networking.firewall.allowedUDPPorts = [ 51820 ];
@@ -45,7 +54,8 @@ in
         inherit (cfg) ips peers;
         listenPort = 51820;
         privateKeyFile = "/etc/wireguard/private.key";
-      };
+      }
+      // lib.optionalAttrs (cfg.mtu != null) { inherit (cfg) mtu; };
     };
   };
 }