From ccf23a35b83784b428d3144570e74a9c2169c0a2 Mon Sep 17 00:00:00 2001
From: Asyncnomi <federez@asyncnomi.fr>
Date: Tue, 22 Jul 2025 21:00:30 +0200
Subject: [PATCH] fix rt routing & nftables

---
 nodes.nix                   | 24 +++++++-------
 shared/commons/mesh.nix     | 66 ++++++++++++++++---------------------
 shared/commons/nftables.nix |  6 +---
 3 files changed, 42 insertions(+), 54 deletions(-)

diff --git a/nodes.nix b/nodes.nix
index 3004549..7148b31 100644
--- a/nodes.nix
+++ b/nodes.nix
@@ -308,7 +308,7 @@
     
     bastion-ren-lasuite-federez = {
         zone = 2;
-        id = 14;
+        id = 1;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -331,7 +331,7 @@
 
     db-ren-lasuite-federez = {
         zone = 2;
-        id = 15;
+        id = 2;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -354,7 +354,7 @@
 
     dns-ren-lasuite-federez = {
         zone = 2;
-        id = 16;
+        id = 3;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -377,7 +377,7 @@
 
     docs-ren-lasuite-federez = {
         zone = 2;
-        id = 17;
+        id = 4;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -400,7 +400,7 @@
 
     meet-ren-lasuite-federez = {
         zone = 2;
-        id = 18;
+        id = 5;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -423,7 +423,7 @@
 
     gris-ren-lasuite-federez = {
         zone = 2;
-        id = 19;
+        id = 6;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -446,7 +446,7 @@
 
     mail-ren-lasuite-federez = {
         zone = 2;
-        id = 20;
+        id = 7;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -469,7 +469,7 @@
 
     garage-ren-lasuite-federez = {
         zone = 2;
-        id = 21;
+        id = 8;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -492,7 +492,7 @@
 
     livekit-ren-lasuite-federez = {
         zone = 2;
-        id = 22;
+        id = 9;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -515,7 +515,7 @@
 
     backup-ren-lasuite-federez = {
         zone = 2;
-        id = 23;
+        id = 10;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -538,7 +538,7 @@
 
     prom-ren-lasuite-federez = {
         zone = 2;
-        id = 24;
+        id = 11;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
@@ -561,7 +561,7 @@
 
     auth-ren-lasuite-federez = {
         zone = 2;
-        id = 25;
+        id = 12;
         system = "x86_64-linux";
         ver = "25.05";
         modules = [
diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix
index 9a32b59..c58b978 100644
--- a/shared/commons/mesh.nix
+++ b/shared/commons/mesh.nix
@@ -19,48 +19,40 @@ let
     };
     generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes;
 
-    generateWireGuardInterface = nodesConfig: let
-        myPeer = nodesConfig."${config.hostName}";
-        myZone = myPeer.zone;
-        myId = myPeer.id;
-        
-        # Filter itself out of the peer list
-        peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig;
-        
-        peers = lib.mapAttrsToList (peerName: peerConfig: {
-            name = "${peerName}";
-            publicKey = peerConfig.wg-pub;
-            allowedIPs = [
-                "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
-                "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
-            ] ++ lib.optionals (lib.elem peerName mapping.bastion) [
-                "172.19.${toString (peerConfig.zone + 127)}.0/24"
-                "fc00:f::${toString (peerConfig.zone + 127)}:0/112"
+    # Filter itself out of the peer list
+    peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodes;
+    
+    peers = lib.mapAttrsToList (peerName: peerConfig: {
+        name = "${peerName}";
+        publicKey = peerConfig.wg-pub;
+        allowedIPs = [
+            "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
+            "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
+        ] ++ lib.optionals (lib.elem peerName mapping.bastion) [
+            "172.19.${toString (peerConfig.zone + 127)}.0/24"
+            "fc00:f::${toString (peerConfig.zone + 127)}:0/112"
+        ];
+        endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820";
+        persistentKeepalive = 25;
+    }) peerConfigs;
+    
+    interfaces = {
+        "mesh" = {
+            ips = [
+                "172.19.${toString myZone}.${toString myId}/16"
+                "fc00::${toString myZone}:${toString myId}/96"
             ];
-            endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820";
-            persistentKeepalive = 25;
-        }) peerConfigs;
-        
-        interface = {
-            "mesh" = {
-                ips = [
-                    "172.19.${toString myZone}.${toString myId}/16"
-                    "fc00::${toString myZone}:${toString myId}/96"
-                ];
-                privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
-                listenPort = 51820;
-                peers = peers;
-            };
+            privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
+            listenPort = 51820;
+            peers = peers;
         };
-    in interface;
-
-    wireguardInterfaces = generateWireGuardInterface nodes;
+    };
 
     generateRoute = peerName: peerConfig: ''
         # Return path for mgmt trafic
         ${if lib.elem peerName mapping.bastion then ''
-            ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString peerConfig.id}.${toString myId} dev mesh
-            ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/112 via fc00::${toString peerConfig.id}:${toString myId} dev mesh
+            ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString peerConfig.zone}.${toString peerConfig.id} dev mesh
+            ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/112 via fc00::${toString peerConfig.zone}:${toString peerConfig.id} dev mesh
         '' else ""}
     '';
 
@@ -83,7 +75,7 @@ in
     networking.wireguard.useNetworkd = false;
 
     # Return all WireGuard interfaces for each node
-    networking.wireguard.interfaces = wireguardInterfaces;
+    networking.wireguard.interfaces = interfaces;
 
     # Execute custom routing for wireguard
     systemd.services.wireguardStaticRouting = {
diff --git a/shared/commons/nftables.nix b/shared/commons/nftables.nix
index 26f0491..120ee2b 100644
--- a/shared/commons/nftables.nix
+++ b/shared/commons/nftables.nix
@@ -7,10 +7,6 @@ let
 
     # Import mapping
     mapping = import ./../../mapping.nix;
-
-    meshUdpRange = "51000-${toString (51000 + builtins.head (
-        builtins.sort (a: b: a > b) (
-        lib.mapAttrsToList (name: node: node.id) nodes)))}";
 in
 {
     networking = {
@@ -50,7 +46,7 @@ in
                             tcp dport 22 accept
 
                             # Mesh
-                            udp dport ${meshUdpRange} accept
+                            udp dport 51820 accept
 
                             ${if lib.elem myName mapping.bastion then ''
                                 # Mgmt