yggdrasil-wg: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-10-10 14:11:18 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-10-10 14:11:18 +0200
commit: fd0d76cff24790194a27c8ed3ff47d83fedc8245 (patch)
tree: 91f469b3a2020b385610ed10596f908683c81e0f /modules/yggdrasil-wg/default.nix
parent: d85f16d75ae44cf94f0500fdbfbde2b8233b8cc5 (diff)
download: nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar
nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.gz
nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.bz2
nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.xz
nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.zip
1 files changed, 28 insertions, 3 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index e7ecf709..db7780fb 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -86,7 +86,28 @@ in {
    systemd.services = listToAttrs (filter ({ value, ...}: value != null) (imap0 (ix: opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && (from == hostName || to == hostName) then {
      path = with pkgs; [iptables];
      serviceConfig = {
-        ExecStart = "${pkgs.udp2raw}/bin/udp2raw ${if from == hostName then "-c -l 127.0.0.1:${toString (udp2rawPort + ix)} -r ${opts.endpointHost}:${toString (udp2rawPort + ix)}" else "-s -l 0.0.0.0:${toString (udp2rawPort + ix)} -r 127.0.0.1:${toString listenPort}"} -k tmpkey --auth-mode hmac_sha1 --raw-mode faketcp -a";
+        RuntimeDirectory = ["config"];
+        ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" ''
+          secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path})
+          cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF
+          ${if from == hostName then ''
+            -c
+            -l 127.0.0.1:${toString (udp2rawPort + ix)}
+            -r ${opts.endpointHost}:${toString (udp2rawPort + ix)}
+          '' else ''
+            -s
+            -l 0.0.0.0:${toString (udp2rawPort + ix)}
+            -r 127.0.0.1:${toString listenPort}
+          ''}
+          -k $secret
+          --auth-mode hmac_sha1
+          --raw-mode faketcp
+          -a
+          --retry-on-error
+          EOF
+        '';
+        ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf";
+        Restart = "always";
      };
    } else null)) links)) // {
      "wireguard-yggdrasil" = {
@@ -96,11 +117,15 @@ in {
      firewall.path = optionals isRouter [pkgs.procps];
    };
-    sops.secrets = mkIf (pathExists privateKeyPath) {
+    sops.secrets = {
-      "yggdrasil-wg.priv" = {
+      "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
        format = "binary";
        sopsFile = privateKeyPath;
      };
+      "yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: (to == hostName || from == hostName) && opts ? "endpointHost") links) {
+        format = "binary";
+        sopsFile = ./udp2raw-secret;
+      };
    };
    networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-10-10 14:11:18 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-10-10 14:11:18 +0200
commit	fd0d76cff24790194a27c8ed3ff47d83fedc8245 (patch)
tree	91f469b3a2020b385610ed10596f908683c81e0f /modules/yggdrasil-wg/default.nix
parent	d85f16d75ae44cf94f0500fdbfbde2b8233b8cc5 (diff)
download	nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.gz nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.bz2 nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.tar.xz nixos-fd0d76cff24790194a27c8ed3ff47d83fedc8245.zip

diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index e7ecf709..db7780fb 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix
@@ -86,7 +86,28 @@ in {
86	systemd.services = listToAttrs (filter ({ value, ...}: value != null) (imap0 (ix: opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && (from == hostName \|\| to == hostName) then {	86	systemd.services = listToAttrs (filter ({ value, ...}: value != null) (imap0 (ix: opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && (from == hostName \|\| to == hostName) then {
87	path = with pkgs; [iptables];	87	path = with pkgs; [iptables];
88	serviceConfig = {	88	serviceConfig = {
89	ExecStart = "${pkgs.udp2raw}/bin/udp2raw ${if from == hostName then "-c -l 127.0.0.1:${toString (udp2rawPort + ix)} -r ${opts.endpointHost}:${toString (udp2rawPort + ix)}" else "-s -l 0.0.0.0:${toString (udp2rawPort + ix)} -r 127.0.0.1:${toString listenPort}"} -k tmpkey --auth-mode hmac_sha1 --raw-mode faketcp -a";	89	RuntimeDirectory = ["config"];
		90	ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" ''
		91	secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path})
		92	cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF
		93	${if from == hostName then ''
		94	-c
		95	-l 127.0.0.1:${toString (udp2rawPort + ix)}
		96	-r ${opts.endpointHost}:${toString (udp2rawPort + ix)}
		97	'' else ''
		98	-s
		99	-l 0.0.0.0:${toString (udp2rawPort + ix)}
		100	-r 127.0.0.1:${toString listenPort}
		101	''}
		102	-k $secret
		103	--auth-mode hmac_sha1
		104	--raw-mode faketcp
		105	-a
		106	--retry-on-error
		107	EOF
		108	'';
		109	ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf";
		110	Restart = "always";
90	};	111	};
91	} else null)) links)) // {	112	} else null)) links)) // {
92	"wireguard-yggdrasil" = {	113	"wireguard-yggdrasil" = {
@@ -96,11 +117,15 @@ in {
96	firewall.path = optionals isRouter [pkgs.procps];	117	firewall.path = optionals isRouter [pkgs.procps];
97	};	118	};
98		119
99	sops.secrets = mkIf (pathExists privateKeyPath) {	120	sops.secrets = {
100	"yggdrasil-wg.priv" = {	121	"yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
101	format = "binary";	122	format = "binary";
102	sopsFile = privateKeyPath;	123	sopsFile = privateKeyPath;
103	};	124	};
		125	"yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: (to == hostName \|\| from == hostName) && opts ? "endpointHost") links) {
		126	format = "binary";
		127	sopsFile = ./udp2raw-secret;
		128	};
104	};	129	};
105		130
106	networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));	131	networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));