summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-10-17 21:59:50 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-10-17 21:59:50 +0200
commit7085030e4ad9c1d723a2afbff73bb9d0798c2370 (patch)
tree1f659e07c388e451591c9beb1145d7c6df3f56ec
parenta8fc9f492911dcb436469951d68d0fd44e9cf8b1 (diff)
downloadnixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar
nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.gz
nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.bz2
nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.xz
nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.zip
yggdrasil-wg: ...
-rw-r--r--modules/yggdrasil-wg/default.nix39
1 files changed, 1 insertions, 38 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index a09b1d99..86e2b98a 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -56,13 +56,11 @@ let
56 privateKeyPath = mkPrivateKeyPath hostName; 56 privateKeyPath = mkPrivateKeyPath hostName;
57 inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; 57 inNetwork = pathExists privateKeyPath && pathExists publicKeyPath;
58 hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; 58 hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links;
59 # hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes;
60 # isRouter = inNetwork && any ({via, ...}: via == hostName) routes;
61 linkToPeer = opts@{from, to, ...}: 59 linkToPeer = opts@{from, to, ...}:
62 let 60 let
63 other = if from == hostName then to else from; 61 other = if from == hostName then to else from;
64 in { 62 in {
65 AllowedIPs = wgHostIPs.${other}; # ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else wgHostIPs.${rArgs.to}) routes; 63 AllowedIPs = wgHostIPs.${other};
66 PublicKey = trim (readFile (mkPublicKeyPath other)); 64 PublicKey = trim (readFile (mkPublicKeyPath other));
67 } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); 65 } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; })));
68 linkToGreDev = opts@{from, to, ...}: 66 linkToGreDev = opts@{from, to, ...}:
@@ -180,21 +178,6 @@ in {
180 } // listToAttrs (imap0 linkToGreNetwork hostLinks); 178 } // listToAttrs (imap0 linkToGreNetwork hostLinks);
181 }; 179 };
182 180
183 # networking.wireguard.interfaces = mkIf inNetwork {
184 # yggdrasil = {
185 # allowedIPsAsRoutes = false;
186 # inherit listenPort;
187 # ips = wgHostIPs.${hostName};
188 # peers = filter (value: value != null) (map (opts@{to, from, ...}: if from == hostName || to == hostName then linkToPeer opts else null) links);
189 # privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path;
190 # postSetup = ''
191 # ip li set mtu 1280 dev yggdrasil
192 # ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replace \"${otherIP}\" dev \"yggdrasil\" table \"main\"") wgHostIPs.${other}) hostLinks}
193 # ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replace \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") (map stripSubnet wgHostIPs.${routeArgs.via})) wgHostIPs.${other}) hostRoutes}
194 # '';
195 # };
196 # };
197
198 systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { 181 systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then {
199 path = with pkgs; [iptables]; 182 path = with pkgs; [iptables];
200 serviceConfig = { 183 serviceConfig = {
@@ -225,13 +208,6 @@ in {
225 Restart = "always"; 208 Restart = "always";
226 }; 209 };
227 } else null)) hostLinks)); 210 } else null)) hostLinks));
228 # // {
229 # "wireguard-yggdrasil" = {
230 # bindsTo = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks);
231 # after = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks);
232 # };
233 # firewall.path = optionals isRouter [pkgs.procps];
234 # };
235 211
236 sops.secrets = { 212 sops.secrets = {
237 "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { 213 "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
@@ -249,19 +225,6 @@ in {
249 225
250 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); 226 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs)));
251 227
252 # networking.firewall = mkIf isRouter {
253 # extraCommands = ''
254 # ip6tables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
255 # ip46tables -A FORWARD -j nixos-fw-log-refuse
256 # sysctl net.ipv6.conf.all.forwarding=1
257 # '';
258 # extraStopCommands = ''
259 # sysctl net.ipv6.conf.all.forwarding=0
260 # ip46tables -D FORWARD -j nixos-fw-log-refuse || true
261 # ip6tables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept || true
262 # '';
263 # };
264
265 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; 228 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
266 environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; 229 environment.systemPackages = with pkgs; [ wireguard-tools batctl ];
267 }; 230 };