diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-17 21:59:50 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-17 21:59:50 +0200 |
commit | 7085030e4ad9c1d723a2afbff73bb9d0798c2370 (patch) | |
tree | 1f659e07c388e451591c9beb1145d7c6df3f56ec | |
parent | a8fc9f492911dcb436469951d68d0fd44e9cf8b1 (diff) | |
download | nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.gz nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.bz2 nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.xz nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.zip |
yggdrasil-wg: ...
-rw-r--r-- | modules/yggdrasil-wg/default.nix | 39 |
1 files changed, 1 insertions, 38 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index a09b1d99..86e2b98a 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
@@ -56,13 +56,11 @@ let | |||
56 | privateKeyPath = mkPrivateKeyPath hostName; | 56 | privateKeyPath = mkPrivateKeyPath hostName; |
57 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 57 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; |
58 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 58 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; |
59 | # hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; | ||
60 | # isRouter = inNetwork && any ({via, ...}: via == hostName) routes; | ||
61 | linkToPeer = opts@{from, to, ...}: | 59 | linkToPeer = opts@{from, to, ...}: |
62 | let | 60 | let |
63 | other = if from == hostName then to else from; | 61 | other = if from == hostName then to else from; |
64 | in { | 62 | in { |
65 | AllowedIPs = wgHostIPs.${other}; # ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else wgHostIPs.${rArgs.to}) routes; | 63 | AllowedIPs = wgHostIPs.${other}; |
66 | PublicKey = trim (readFile (mkPublicKeyPath other)); | 64 | PublicKey = trim (readFile (mkPublicKeyPath other)); |
67 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); | 65 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); |
68 | linkToGreDev = opts@{from, to, ...}: | 66 | linkToGreDev = opts@{from, to, ...}: |
@@ -180,21 +178,6 @@ in { | |||
180 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); | 178 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); |
181 | }; | 179 | }; |
182 | 180 | ||
183 | # networking.wireguard.interfaces = mkIf inNetwork { | ||
184 | # yggdrasil = { | ||
185 | # allowedIPsAsRoutes = false; | ||
186 | # inherit listenPort; | ||
187 | # ips = wgHostIPs.${hostName}; | ||
188 | # peers = filter (value: value != null) (map (opts@{to, from, ...}: if from == hostName || to == hostName then linkToPeer opts else null) links); | ||
189 | # privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; | ||
190 | # postSetup = '' | ||
191 | # ip li set mtu 1280 dev yggdrasil | ||
192 | # ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replace \"${otherIP}\" dev \"yggdrasil\" table \"main\"") wgHostIPs.${other}) hostLinks} | ||
193 | # ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replace \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") (map stripSubnet wgHostIPs.${routeArgs.via})) wgHostIPs.${other}) hostRoutes} | ||
194 | # ''; | ||
195 | # }; | ||
196 | # }; | ||
197 | |||
198 | systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { | 181 | systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { |
199 | path = with pkgs; [iptables]; | 182 | path = with pkgs; [iptables]; |
200 | serviceConfig = { | 183 | serviceConfig = { |
@@ -225,13 +208,6 @@ in { | |||
225 | Restart = "always"; | 208 | Restart = "always"; |
226 | }; | 209 | }; |
227 | } else null)) hostLinks)); | 210 | } else null)) hostLinks)); |
228 | # // { | ||
229 | # "wireguard-yggdrasil" = { | ||
230 | # bindsTo = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); | ||
231 | # after = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); | ||
232 | # }; | ||
233 | # firewall.path = optionals isRouter [pkgs.procps]; | ||
234 | # }; | ||
235 | 211 | ||
236 | sops.secrets = { | 212 | sops.secrets = { |
237 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { | 213 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { |
@@ -249,19 +225,6 @@ in { | |||
249 | 225 | ||
250 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); | 226 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); |
251 | 227 | ||
252 | # networking.firewall = mkIf isRouter { | ||
253 | # extraCommands = '' | ||
254 | # ip6tables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept | ||
255 | # ip46tables -A FORWARD -j nixos-fw-log-refuse | ||
256 | # sysctl net.ipv6.conf.all.forwarding=1 | ||
257 | # ''; | ||
258 | # extraStopCommands = '' | ||
259 | # sysctl net.ipv6.conf.all.forwarding=0 | ||
260 | # ip46tables -D FORWARD -j nixos-fw-log-refuse || true | ||
261 | # ip6tables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept || true | ||
262 | # ''; | ||
263 | # }; | ||
264 | |||
265 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 228 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |
266 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; | 229 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; |
267 | }; | 230 | }; |