diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-09 10:57:24 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-10-09 10:57:24 +0200 |
| commit | e8ea72d0393c90a13921407ed7998efdf4263b76 (patch) | |
| tree | e0bb096fef45c4736a0f73ec527381823b7a085a /modules | |
| parent | d515db79f20229cd1bdbb4365a89dc5b2842a5d5 (diff) | |
| download | nixos-e8ea72d0393c90a13921407ed7998efdf4263b76.tar nixos-e8ea72d0393c90a13921407ed7998efdf4263b76.tar.gz nixos-e8ea72d0393c90a13921407ed7998efdf4263b76.tar.bz2 nixos-e8ea72d0393c90a13921407ed7998efdf4263b76.tar.xz nixos-e8ea72d0393c90a13921407ed7998efdf4263b76.zip | |
yggdrasil-wg: ...
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1fd7092c..9c58c9fe 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -6,6 +6,7 @@ let | |||
| 6 | listenPort = 51820; | 6 | listenPort = 51820; |
| 7 | subnet = "2a03:4000:52:ada:1"; | 7 | subnet = "2a03:4000:52:ada:1"; |
| 8 | subnetLength = 80; | 8 | subnetLength = 80; |
| 9 | hostLength = subnetLength + 16; | ||
| 9 | 10 | ||
| 10 | links = [ | 11 | links = [ |
| 11 | { from = "vidhar"; | 12 | { from = "vidhar"; |
| @@ -21,7 +22,16 @@ let | |||
| 21 | dynamicEndpointRefreshSeconds = 86400; | 22 | dynamicEndpointRefreshSeconds = 86400; |
| 22 | } | 23 | } |
| 23 | ]; | 24 | ]; |
| 24 | hostLength = subnetLength + 16; | 25 | routes = [ |
| 26 | { from = "sif"; | ||
| 27 | to = "vidhar"; | ||
| 28 | via = "surtr"; | ||
| 29 | } | ||
| 30 | { from = "vidhar"; | ||
| 31 | to = "sif"; | ||
| 32 | via = "surtr"; | ||
| 33 | } | ||
| 34 | ]; | ||
| 25 | hostIPs = { | 35 | hostIPs = { |
| 26 | surtr = ["${subnet}::/${toString hostLength}"]; | 36 | surtr = ["${subnet}::/${toString hostLength}"]; |
| 27 | vidhar = ["${subnet}:1::/${toString hostLength}"]; | 37 | vidhar = ["${subnet}:1::/${toString hostLength}"]; |
| @@ -35,11 +45,12 @@ let | |||
| 35 | privateKeyPath = mkPrivateKeyPath hostName; | 45 | privateKeyPath = mkPrivateKeyPath hostName; |
| 36 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 46 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; |
| 37 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 47 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; |
| 48 | hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; | ||
| 38 | linkToPeer = opts@{from, to, ...}: | 49 | linkToPeer = opts@{from, to, ...}: |
| 39 | let | 50 | let |
| 40 | other = if from == hostName then to else from; | 51 | other = if from == hostName then to else from; |
| 41 | in { | 52 | in { |
| 42 | allowedIPs = hostIPs.${other}; | 53 | allowedIPs = hostIPs.${other} ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else hostIPs.${rArgs.to}) routes; |
| 43 | publicKey = trim (readFile (mkPublicKeyPath other)); | 54 | publicKey = trim (readFile (mkPublicKeyPath other)); |
| 44 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])) opts // optionalAttrs (opts ? "endpointHost") { endpoint = "${opts.endpointHost}:${toString listenPort}"; })); | 55 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])) opts // optionalAttrs (opts ? "endpointHost") { endpoint = "${opts.endpointHost}:${toString listenPort}"; })); |
| 45 | 56 | ||
| @@ -64,7 +75,8 @@ in { | |||
| 64 | peers = map linkToPeer hostLinks; | 75 | peers = map linkToPeer hostLinks; |
| 65 | privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; | 76 | privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; |
| 66 | postSetup = '' | 77 | postSetup = '' |
| 67 | ${pkgs.iproute2}/bin/ip route replace "${subnet}::/${toString subnetLength}" dev "yggdrasil" table "main" | 78 | ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replate \"${otherIP}\" dev \"yggdrasil\" table \"main\"") hostIPs.${other}) hostLinks} |
| 79 | ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replate \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") hostIPs.${routeArgs.via}) hostIPs.${other}) hostRoutes} | ||
| 68 | ''; | 80 | ''; |
| 69 | }; | 81 | }; |
| 70 | }; | 82 | }; |
| @@ -77,5 +89,9 @@ in { | |||
| 77 | }; | 89 | }; |
| 78 | 90 | ||
| 79 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); | 91 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); |
| 92 | |||
| 93 | boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) { | ||
| 94 | "net.ipv6.conf.yggdrasil.forwarding" = 1; | ||
| 95 | }; | ||
| 80 | }; | 96 | }; |
| 81 | } | 97 | } |