diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-17 21:59:50 +0200 | 
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-17 21:59:50 +0200 | 
| commit | 7085030e4ad9c1d723a2afbff73bb9d0798c2370 (patch) | |
| tree | 1f659e07c388e451591c9beb1145d7c6df3f56ec /modules/yggdrasil-wg | |
| parent | a8fc9f492911dcb436469951d68d0fd44e9cf8b1 (diff) | |
| download | nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.gz nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.bz2 nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.tar.xz nixos-7085030e4ad9c1d723a2afbff73bb9d0798c2370.zip | |
yggdrasil-wg: ...
Diffstat (limited to 'modules/yggdrasil-wg')
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 39 | 
1 files changed, 1 insertions, 38 deletions
| diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index a09b1d99..86e2b98a 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -56,13 +56,11 @@ let | |||
| 56 | privateKeyPath = mkPrivateKeyPath hostName; | 56 | privateKeyPath = mkPrivateKeyPath hostName; | 
| 57 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 57 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 
| 58 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 58 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 
| 59 | # hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; | ||
| 60 | # isRouter = inNetwork && any ({via, ...}: via == hostName) routes; | ||
| 61 | linkToPeer = opts@{from, to, ...}: | 59 | linkToPeer = opts@{from, to, ...}: | 
| 62 | let | 60 | let | 
| 63 | other = if from == hostName then to else from; | 61 | other = if from == hostName then to else from; | 
| 64 | in { | 62 | in { | 
| 65 | AllowedIPs = wgHostIPs.${other}; # ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else wgHostIPs.${rArgs.to}) routes; | 63 | AllowedIPs = wgHostIPs.${other}; | 
| 66 | PublicKey = trim (readFile (mkPublicKeyPath other)); | 64 | PublicKey = trim (readFile (mkPublicKeyPath other)); | 
| 67 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); | 65 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); | 
| 68 | linkToGreDev = opts@{from, to, ...}: | 66 | linkToGreDev = opts@{from, to, ...}: | 
| @@ -180,21 +178,6 @@ in { | |||
| 180 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); | 178 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); | 
| 181 | }; | 179 | }; | 
| 182 | 180 | ||
| 183 | # networking.wireguard.interfaces = mkIf inNetwork { | ||
| 184 | # yggdrasil = { | ||
| 185 | # allowedIPsAsRoutes = false; | ||
| 186 | # inherit listenPort; | ||
| 187 | # ips = wgHostIPs.${hostName}; | ||
| 188 | # peers = filter (value: value != null) (map (opts@{to, from, ...}: if from == hostName || to == hostName then linkToPeer opts else null) links); | ||
| 189 | # privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; | ||
| 190 | # postSetup = '' | ||
| 191 | # ip li set mtu 1280 dev yggdrasil | ||
| 192 | # ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replace \"${otherIP}\" dev \"yggdrasil\" table \"main\"") wgHostIPs.${other}) hostLinks} | ||
| 193 | # ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replace \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") (map stripSubnet wgHostIPs.${routeArgs.via})) wgHostIPs.${other}) hostRoutes} | ||
| 194 | # ''; | ||
| 195 | # }; | ||
| 196 | # }; | ||
| 197 | |||
| 198 | systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { | 181 | systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { | 
| 199 | path = with pkgs; [iptables]; | 182 | path = with pkgs; [iptables]; | 
| 200 | serviceConfig = { | 183 | serviceConfig = { | 
| @@ -225,13 +208,6 @@ in { | |||
| 225 | Restart = "always"; | 208 | Restart = "always"; | 
| 226 | }; | 209 | }; | 
| 227 | } else null)) hostLinks)); | 210 | } else null)) hostLinks)); | 
| 228 | # // { | ||
| 229 | # "wireguard-yggdrasil" = { | ||
| 230 | # bindsTo = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); | ||
| 231 | # after = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); | ||
| 232 | # }; | ||
| 233 | # firewall.path = optionals isRouter [pkgs.procps]; | ||
| 234 | # }; | ||
| 235 | 211 | ||
| 236 | sops.secrets = { | 212 | sops.secrets = { | 
| 237 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { | 213 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { | 
| @@ -249,19 +225,6 @@ in { | |||
| 249 | 225 | ||
| 250 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); | 226 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); | 
| 251 | 227 | ||
| 252 | # networking.firewall = mkIf isRouter { | ||
| 253 | # extraCommands = '' | ||
| 254 | # ip6tables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept | ||
| 255 | # ip46tables -A FORWARD -j nixos-fw-log-refuse | ||
| 256 | # sysctl net.ipv6.conf.all.forwarding=1 | ||
| 257 | # ''; | ||
| 258 | # extraStopCommands = '' | ||
| 259 | # sysctl net.ipv6.conf.all.forwarding=0 | ||
| 260 | # ip46tables -D FORWARD -j nixos-fw-log-refuse || true | ||
| 261 | # ip6tables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept || true | ||
| 262 | # ''; | ||
| 263 | # }; | ||
| 264 | |||
| 265 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 228 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 
| 266 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; | 229 | environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; | 
| 267 | }; | 230 | }; | 
