From 2684b3c1aa8c256450f7c9f0f02eae3d97501176 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 10 Nov 2024 16:19:07 +0000
Subject: [PATCH] wg-home: re-enable keepalives

this should fix some of the flakiness i've seen when deploying moby?
---
 hosts/modules/wg-home.nix |  1 +
 modules/vpn.nix           | 30 +++++++++++++++++++++---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index 0208703ee..a2acbb58a 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -97,6 +97,7 @@ in
     sane.vpn.wg-home = lib.mkIf cfg.routeThroughServo {
       id = 51;
       endpoint = config.sane.hosts.by-name."servo".wg-home.endpoint;
+      keepalive = true;
       publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;
       addrV4 = cfg.ip;
       subnetV4 = "24";
diff --git a/modules/vpn.nix b/modules/vpn.nix
index 38d16d19f..088d95ad4 100644
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@@ -70,6 +70,14 @@ let
           e.g. "vpn.example.com:55280"
         '';
       };
+      keepalive = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether to send periodic packets to keep the NAT alive.
+          this should only be needed if you want to receive unprompted inbound packets.
+        '';
+      };
       publicKey = mkOption {
         type = types.str;
         description = ''
@@ -118,7 +126,7 @@ let
       priorityFwMark = config.id + 300;
     };
   });
-  mkVpnConfig = name: { addrV4, dns, endpoint, fwmark, id, privateKeyFile, publicKey, subnetV4, ... }: {
+  mkVpnConfig = name: { addrV4, dns, endpoint, fwmark, id, keepalive, privateKeyFile, publicKey, subnetV4, ... }: {
     assertions = [
       {
         assertion = (lib.count (c: c.id == id) (builtins.attrValues cfg)) == 1;
@@ -136,14 +144,18 @@ let
         PrivateKeyFile = privateKeyFile;
         FirewallMark = fwmark;
       };
-      wireguardPeers = [{
-        AllowedIPs = [
-          "0.0.0.0/0"
-          "::/0"
-        ];
-        Endpoint = endpoint;
-        PublicKey = publicKey;
-      }];
+      wireguardPeers = [
+        ({
+          AllowedIPs = [
+            "0.0.0.0/0"
+            "::/0"
+          ];
+          Endpoint = endpoint;
+          PublicKey = publicKey;
+        } // lib.optionalAttrs keepalive {
+          PersistentKeepalive = 25;
+        })
+      ];
     };
 
     systemd.network.networks."50-${name}" = {