summaryrefslogtreecommitdiff
path: root/modules/yggdrasil-wg/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/yggdrasil-wg/default.nix')
-rw-r--r--modules/yggdrasil-wg/default.nix45
1 files changed, 4 insertions, 41 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 5a20c76f..49acb76e 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -4,7 +4,6 @@ with lib;
4 4
5let 5let
6 listenPort = 51820; 6 listenPort = 51820;
7 udp2rawPort = 51821;
8 wgSubnet = "2a03:4000:52:ada:1"; 7 wgSubnet = "2a03:4000:52:ada:1";
9 wgSubnetLength = 80; 8 wgSubnetLength = 80;
10 wgHostLength = wgSubnetLength + 16; 9 wgHostLength = wgSubnetLength + 16;
@@ -16,13 +15,11 @@ let
16 { from = "vidhar"; 15 { from = "vidhar";
17 to = "surtr"; 16 to = "surtr";
18 endpointHost = "202.61.241.61"; 17 endpointHost = "202.61.241.61";
19 udp2raw = true;
20 PersistentKeepalive = 25; 18 PersistentKeepalive = 25;
21 } 19 }
22 { from = "sif"; 20 { from = "sif";
23 to = "surtr"; 21 to = "surtr";
24 endpointHost = "202.61.241.61"; 22 endpointHost = "202.61.241.61";
25 # udp2raw = true;
26 PersistentKeepalive = 25; 23 PersistentKeepalive = 25;
27 } 24 }
28 { from = "sif"; 25 { from = "sif";
@@ -67,7 +64,9 @@ let
67 in { 64 in {
68 AllowedIPs = wgHostIPs.${other}; 65 AllowedIPs = wgHostIPs.${other};
69 PublicKey = trim (readFile (mkPublicKeyPath other)); 66 PublicKey = trim (readFile (mkPublicKeyPath other));
70 } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); 67 } // (optionalAttrs (from == hostName) (linkCfgFilterCustom opts // linkMkEndpointCfg opts));
68 linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"]));
69 linkMkEndpointCfg = opts@{from, ...}: optionalAttrs (opts ? "endpointHost" && from == hostName) { Endpoint = "${opts.endpointHost}:${toString listenPort}"; };
71 linkToGreDev = opts@{from, to, ...}: 70 linkToGreDev = opts@{from, to, ...}:
72 let 71 let
73 other = if from == hostName then to else from; 72 other = if from == hostName then to else from;
@@ -104,7 +103,7 @@ let
104 withOpts = listToAttrs (imap0 (ix: x: nameValuePair x.name (x.value // { ${optName} = ix; })) (filter (x: x.value.${optName} or false) (imap0 (ix: nameValuePair (toString ix)) xs))); 103 withOpts = listToAttrs (imap0 (ix: x: nameValuePair x.name (x.value // { ${optName} = ix; })) (filter (x: x.value.${optName} or false) (imap0 (ix: nameValuePair (toString ix)) xs)));
105 withoutOpts = listToAttrs (map (nv: nameValuePair nv.name (removeAttrs nv.value [optName])) (filter (x: !(x.value.${optName} or false)) (imap0 (ix: nameValuePair (toString ix)) xs))); 104 withoutOpts = listToAttrs (map (nv: nameValuePair nv.name (removeAttrs nv.value [optName])) (filter (x: !(x.value.${optName} or false)) (imap0 (ix: nameValuePair (toString ix)) xs)));
106 in genList (ix: withOpts.${toString ix} or withoutOpts.${toString ix}) (length xs); 105 in genList (ix: withOpts.${toString ix} or withoutOpts.${toString ix}) (length xs);
107 mkLinks = optIx "udp2raw"; 106 mkLinks = id;
108 toHexByte = n: let 107 toHexByte = n: let
109 hex = toHexString n; 108 hex = toHexString n;
110 in if (stringLength hex < 2) then "0${hex}" else hex; 109 in if (stringLength hex < 2) then "0${hex}" else hex;
@@ -181,38 +180,6 @@ in {
181 } // listToAttrs (imap0 linkToGreNetwork hostLinks); 180 } // listToAttrs (imap0 linkToGreNetwork hostLinks);
182 }; 181 };
183 182
184 systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then {
185 path = with pkgs; [iptables];
186 wantedBy = [ "network.target" ];
187 serviceConfig = {
188 RuntimeDirectory = ["udp2raw-config-${other}"];
189 RuntimeDirectoryMode = "0700";
190 ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" ''
191 umask 0077
192 secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path})
193 cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF
194 ${if from == hostName then ''
195 -c
196 -l 127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}
197 -r ${opts.endpointHost}:${toString (udp2rawPort + opts.udp2raw)}
198 '' else ''
199 -s
200 -l 0.0.0.0:${toString (udp2rawPort + opts.udp2raw)}
201 -r 127.0.0.1:${toString listenPort}
202 ''}
203 -k $secret
204 --auth-mode hmac_sha1
205 --raw-mode faketcp
206 --seq-mode 4
207 -a
208 --retry-on-error
209 EOF
210 '';
211 ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf";
212 Restart = "always";
213 };
214 } else null)) hostLinks));
215
216 sops.secrets = { 183 sops.secrets = {
217 "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { 184 "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
218 format = "binary"; 185 format = "binary";
@@ -221,10 +188,6 @@ in {
221 owner = "root"; 188 owner = "root";
222 group = "systemd-network"; 189 group = "systemd-network";
223 }; 190 };
224 "yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: opts ? "endpointHost" && opts ? "udp2raw") hostLinks) {
225 format = "binary";
226 sopsFile = ./udp2raw-secret;
227 };
228 }; 191 };
229 192
230 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); 193 networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs)));
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 05:24:00 +0000