diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-09-30 15:22:27 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-09-30 15:22:27 +0200 |
commit | e9f823e35558314664837cc51f3d126bd8a63b3f (patch) | |
tree | f824199cc0c34cd083fa9e26f1731e4f498724e2 /modules | |
parent | 5c48e9aa09d2444af3860f5e4018b7fb5eda87e7 (diff) | |
download | nixos-e9f823e35558314664837cc51f3d126bd8a63b3f.tar nixos-e9f823e35558314664837cc51f3d126bd8a63b3f.tar.gz nixos-e9f823e35558314664837cc51f3d126bd8a63b3f.tar.bz2 nixos-e9f823e35558314664837cc51f3d126bd8a63b3f.tar.xz nixos-e9f823e35558314664837cc51f3d126bd8a63b3f.zip |
yggdrasil-wg: better route?
Diffstat (limited to 'modules')
-rw-r--r-- | modules/yggdrasil-wg/default.nix | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 2727d483..dd7300de 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
@@ -1,10 +1,11 @@ | |||
1 | { config, hostName, lib, ... }: | 1 | { config, hostName, lib, pkgs, ... }: |
2 | 2 | ||
3 | with lib; | 3 | with lib; |
4 | 4 | ||
5 | let | 5 | let |
6 | listenPort = 51820; | 6 | listenPort = 51820; |
7 | subnet = "2a03:4000:52:ada:1"; | 7 | subnet = "2a03:4000:52:ada:1"; |
8 | subnetLength = 80; | ||
8 | 9 | ||
9 | links = [ | 10 | links = [ |
10 | { from = "vidhar"; | 11 | { from = "vidhar"; |
@@ -14,9 +15,10 @@ let | |||
14 | dynamicEndpointRefreshSeconds = 86400; | 15 | dynamicEndpointRefreshSeconds = 86400; |
15 | } | 16 | } |
16 | ]; | 17 | ]; |
18 | hostLength = subnetLength + 16; | ||
17 | hostIPs = { | 19 | hostIPs = { |
18 | surtr = ["${subnet}::/96"]; | 20 | surtr = ["${subnet}::/${toString hostLength}"]; |
19 | vidhar = ["${subnet}:1::/96"]; | 21 | vidhar = ["${subnet}:1::/${toString hostLength}"]; |
20 | }; | 22 | }; |
21 | 23 | ||
22 | mkPublicKeyPath = host: ./hosts + "/${host}.pub"; | 24 | mkPublicKeyPath = host: ./hosts + "/${host}.pub"; |
@@ -49,11 +51,14 @@ in { | |||
49 | 51 | ||
50 | networking.wireguard.interfaces = mkIf inNetwork { | 52 | networking.wireguard.interfaces = mkIf inNetwork { |
51 | yggdrasil = { | 53 | yggdrasil = { |
52 | allowedIPsAsRoutes = true; | 54 | allowedIPsAsRoutes = false; |
53 | inherit listenPort; | 55 | inherit listenPort; |
54 | ips = hostIPs.${hostName}; | 56 | ips = hostIPs.${hostName}; |
55 | peers = map linkToPeer hostLinks; | 57 | peers = map linkToPeer hostLinks; |
56 | privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; | 58 | privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; |
59 | postSetup = '' | ||
60 | ${pkgs.iproute2}/bin/ip route replace "${subnet}/${toString subnetLength}" dev "yggdrasil" table "main" | ||
61 | ''; | ||
57 | }; | 62 | }; |
58 | }; | 63 | }; |
59 | 64 | ||