summaryrefslogtreecommitdiff
path: root/modules/yggdrasil-wg/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-10-09 11:23:37 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-10-09 11:23:37 +0200
commit0365d3e1efc936ead80fb768312bb005780d2940 (patch)
tree959f0a8406518b9da57c7278c58410a31ab342c7 /modules/yggdrasil-wg/default.nix
parent2d97ecb5c4828db7389cf2baf436c3ecc7af1d6c (diff)
downloadnixos-0365d3e1efc936ead80fb768312bb005780d2940.tar
nixos-0365d3e1efc936ead80fb768312bb005780d2940.tar.gz
nixos-0365d3e1efc936ead80fb768312bb005780d2940.tar.bz2
nixos-0365d3e1efc936ead80fb768312bb005780d2940.tar.xz
nixos-0365d3e1efc936ead80fb768312bb005780d2940.zip
yggdrasil-wg: ...
Diffstat (limited to 'modules/yggdrasil-wg/default.nix')
-rw-r--r--modules/yggdrasil-wg/default.nix14
1 files changed, 12 insertions, 2 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 7502b3c7..e81fee84 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -46,6 +46,7 @@ let
46 inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; 46 inNetwork = pathExists privateKeyPath && pathExists publicKeyPath;
47 hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; 47 hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links;
48 hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; 48 hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes;
49 isRouter = inNetwork && any ({via, ...}: via == hostName) routes;
49 linkToPeer = opts@{from, to, ...}: 50 linkToPeer = opts@{from, to, ...}:
50 let 51 let
51 other = if from == hostName then to else from; 52 other = if from == hostName then to else from;
@@ -90,8 +91,17 @@ in {
90 91
91 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); 92 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));
92 93
93 boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) { 94 networking.firewall = mkIf isRouter {
94 "net.ipv6.conf.yggdrasil.forwarding" = 1; 95 extraCommands = ''
96 iptables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
97 iptables -A FORWARD -j nixos-fw-log-refuse
98 sysctl net.ipv6.conf.all.forwarding=1
99 '';
100 extraStopCommands = ''
101 sysctl net.ipv6.conf.all.forwarding=0
102 iptables -D FORWARD -j nixos-fw-log-refuse
103 iptables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept
104 '';
95 }; 105 };
96 }; 106 };
97} 107}