diff options
Diffstat (limited to 'modules/yggdrasil-wg')
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 45 | ||||
| -rw-r--r-- | modules/yggdrasil-wg/udp2raw-secret | 36 | 
2 files changed, 4 insertions, 77 deletions
| diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 5a20c76f..49acb76e 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -4,7 +4,6 @@ with lib; | |||
| 4 | 4 | ||
| 5 | let | 5 | let | 
| 6 | listenPort = 51820; | 6 | listenPort = 51820; | 
| 7 | udp2rawPort = 51821; | ||
| 8 | wgSubnet = "2a03:4000:52:ada:1"; | 7 | wgSubnet = "2a03:4000:52:ada:1"; | 
| 9 | wgSubnetLength = 80; | 8 | wgSubnetLength = 80; | 
| 10 | wgHostLength = wgSubnetLength + 16; | 9 | wgHostLength = wgSubnetLength + 16; | 
| @@ -16,13 +15,11 @@ let | |||
| 16 | { from = "vidhar"; | 15 | { from = "vidhar"; | 
| 17 | to = "surtr"; | 16 | to = "surtr"; | 
| 18 | endpointHost = "202.61.241.61"; | 17 | endpointHost = "202.61.241.61"; | 
| 19 | udp2raw = true; | ||
| 20 | PersistentKeepalive = 25; | 18 | PersistentKeepalive = 25; | 
| 21 | } | 19 | } | 
| 22 | { from = "sif"; | 20 | { from = "sif"; | 
| 23 | to = "surtr"; | 21 | to = "surtr"; | 
| 24 | endpointHost = "202.61.241.61"; | 22 | endpointHost = "202.61.241.61"; | 
| 25 | # udp2raw = true; | ||
| 26 | PersistentKeepalive = 25; | 23 | PersistentKeepalive = 25; | 
| 27 | } | 24 | } | 
| 28 | { from = "sif"; | 25 | { from = "sif"; | 
| @@ -67,7 +64,9 @@ let | |||
| 67 | in { | 64 | in { | 
| 68 | AllowedIPs = wgHostIPs.${other}; | 65 | AllowedIPs = wgHostIPs.${other}; | 
| 69 | PublicKey = trim (readFile (mkPublicKeyPath other)); | 66 | PublicKey = trim (readFile (mkPublicKeyPath other)); | 
| 70 | } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); | 67 | } // (optionalAttrs (from == hostName) (linkCfgFilterCustom opts // linkMkEndpointCfg opts)); | 
| 68 | linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])); | ||
| 69 | linkMkEndpointCfg = opts@{from, ...}: optionalAttrs (opts ? "endpointHost" && from == hostName) { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }; | ||
| 71 | linkToGreDev = opts@{from, to, ...}: | 70 | linkToGreDev = opts@{from, to, ...}: | 
| 72 | let | 71 | let | 
| 73 | other = if from == hostName then to else from; | 72 | other = if from == hostName then to else from; | 
| @@ -104,7 +103,7 @@ let | |||
| 104 | withOpts = listToAttrs (imap0 (ix: x: nameValuePair x.name (x.value // { ${optName} = ix; })) (filter (x: x.value.${optName} or false) (imap0 (ix: nameValuePair (toString ix)) xs))); | 103 | withOpts = listToAttrs (imap0 (ix: x: nameValuePair x.name (x.value // { ${optName} = ix; })) (filter (x: x.value.${optName} or false) (imap0 (ix: nameValuePair (toString ix)) xs))); | 
| 105 | withoutOpts = listToAttrs (map (nv: nameValuePair nv.name (removeAttrs nv.value [optName])) (filter (x: !(x.value.${optName} or false)) (imap0 (ix: nameValuePair (toString ix)) xs))); | 104 | withoutOpts = listToAttrs (map (nv: nameValuePair nv.name (removeAttrs nv.value [optName])) (filter (x: !(x.value.${optName} or false)) (imap0 (ix: nameValuePair (toString ix)) xs))); | 
| 106 | in genList (ix: withOpts.${toString ix} or withoutOpts.${toString ix}) (length xs); | 105 | in genList (ix: withOpts.${toString ix} or withoutOpts.${toString ix}) (length xs); | 
| 107 | mkLinks = optIx "udp2raw"; | 106 | mkLinks = id; | 
| 108 | toHexByte = n: let | 107 | toHexByte = n: let | 
| 109 | hex = toHexString n; | 108 | hex = toHexString n; | 
| 110 | in if (stringLength hex < 2) then "0${hex}" else hex; | 109 | in if (stringLength hex < 2) then "0${hex}" else hex; | 
| @@ -181,38 +180,6 @@ in { | |||
| 181 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); | 180 | } // listToAttrs (imap0 linkToGreNetwork hostLinks); | 
| 182 | }; | 181 | }; | 
| 183 | 182 | ||
| 184 | systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { | ||
| 185 | path = with pkgs; [iptables]; | ||
| 186 | wantedBy = [ "network.target" ]; | ||
| 187 | serviceConfig = { | ||
| 188 | RuntimeDirectory = ["udp2raw-config-${other}"]; | ||
| 189 | RuntimeDirectoryMode = "0700"; | ||
| 190 | ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" '' | ||
| 191 | umask 0077 | ||
| 192 | secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path}) | ||
| 193 | cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF | ||
| 194 | ${if from == hostName then '' | ||
| 195 | -c | ||
| 196 | -l 127.0.0.1:${toString (udp2rawPort + opts.udp2raw)} | ||
| 197 | -r ${opts.endpointHost}:${toString (udp2rawPort + opts.udp2raw)} | ||
| 198 | '' else '' | ||
| 199 | -s | ||
| 200 | -l 0.0.0.0:${toString (udp2rawPort + opts.udp2raw)} | ||
| 201 | -r 127.0.0.1:${toString listenPort} | ||
| 202 | ''} | ||
| 203 | -k $secret | ||
| 204 | --auth-mode hmac_sha1 | ||
| 205 | --raw-mode faketcp | ||
| 206 | --seq-mode 4 | ||
| 207 | -a | ||
| 208 | --retry-on-error | ||
| 209 | EOF | ||
| 210 | ''; | ||
| 211 | ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf"; | ||
| 212 | Restart = "always"; | ||
| 213 | }; | ||
| 214 | } else null)) hostLinks)); | ||
| 215 | |||
| 216 | sops.secrets = { | 183 | sops.secrets = { | 
| 217 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { | 184 | "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { | 
| 218 | format = "binary"; | 185 | format = "binary"; | 
| @@ -221,10 +188,6 @@ in { | |||
| 221 | owner = "root"; | 188 | owner = "root"; | 
| 222 | group = "systemd-network"; | 189 | group = "systemd-network"; | 
| 223 | }; | 190 | }; | 
| 224 | "yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: opts ? "endpointHost" && opts ? "udp2raw") hostLinks) { | ||
| 225 | format = "binary"; | ||
| 226 | sopsFile = ./udp2raw-secret; | ||
| 227 | }; | ||
| 228 | }; | 191 | }; | 
| 229 | 192 | ||
| 230 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); | 193 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); | 
| diff --git a/modules/yggdrasil-wg/udp2raw-secret b/modules/yggdrasil-wg/udp2raw-secret deleted file mode 100644 index bed8de83..00000000 --- a/modules/yggdrasil-wg/udp2raw-secret +++ /dev/null | |||
| @@ -1,36 +0,0 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:GOriV+Kb7gKgEBaqgN5XysKvJl9PbImG5ZdelRpdZcw9,iv:TmRuxpm7Hl3xEu/Zm+Tzl7/Jvg92DUiBlw5oT1p9XhU=,tag:UCKKpPDJ7jloplM5jsc9Dg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2021-10-10T12:04:09Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:z0YkHarF33dgtWXCziVUmhDZPF9nMbnAb4fUGbg7e2w66Rv29lB2tTGd0mmAHku0ZO9BQ+b19zWslKUAcSxTRbtYx+BY/4QZBQ6kxeo3ujg9xFCqv28oc7Vf/MTnDXj/ViZP+twuw9jsHLQ5hY5N1Unh8/hTNS+lHq+Tiso8dcM=,iv:9pezJ4vFVokWcVcXzBT/jtJyicfDdykUHB9nZQ0V/74=,tag:wmXnYnd6//NAy/aWU9SMyg==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2021-10-10T12:04:08Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAEnoWy2jZG0Jf1+4G3heV7MTNlur4dqX5fSJZRN6khw8w\ngab9Z73+fCsYm0fmYBJ8EyHLLjhHKP4KiE5pwFW4dNu6XBcHtRHSptZK/zTMMStv\n0l4BCt7PF5q0dPatuqWZ0+2Ns8LSXT/YZVwUkvy3KS8UcZQq7xSwDdBqSTVc1lsz\nb6OI+b3sDHdmzK3MVHAgNEF74wx2or/ccbQT7n5EZxRkGoNbS9Fa7CY3DnJFVEkl\n=jCLU\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2021-10-10T12:04:08Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAlsp51HC3CZphu7rZ1hdWk9NzUlkn0DzcWwQ7UcNd524w\nAI4RpCSmOdRy/dy8oMV+9Kv8YgqmChynN/kIgFkHbS5pdbBl50o2xzOhjB26WoJh\n0l4BbkK1QSZkzUCcQzlunqn5N3pvkCjPdBW2DOkAIrNwvEs7A8nPmrrn9AHQrLlq\nEdDYPkREA5TXftnhmu4BAQ01zsoKp2Ny6gAdHMBlLAcS4PM+ugdplYGBAlALtl2P\n=Zrhp\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 21 | }, | ||
| 22 | { | ||
| 23 | "created_at": "2021-10-10T12:04:08Z", | ||
| 24 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdA7KxnxC4ZvSLm91bBavRzmTnJwq5Ed+XAPR3Xv1l4X3ww\nQjmDqbJB2av+PJCltta3I4LWh6SOMJ9AOjav6pBPrpFncqkTJoW3CoA9PA4SG4cC\n0l4BG37XFitMYEJdPliwoWcCBoCmKtRBlgwuY9yuyzkTE8pgzbYy+Wa9E7wZJsXD\n3rdziltY8/33Zx9bQvK0VnEsMIZHE3mHHItWcJ0pPUbIZH7QjetweB4oVhBo8CZu\n=PL3V\n-----END PGP MESSAGE-----\n", | ||
| 25 | "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" | ||
| 26 | }, | ||
| 27 | { | ||
| 28 | "created_at": "2021-10-10T12:04:08Z", | ||
| 29 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAF2b1Qg/tPPI4Iyz8QutxrWlOetqN7HzkKEfhtfFO504w\nQtEf0ki8xXsnb03WLknONFFw9SXsTAy7d4xcCuYYbjSID0SwC9OsM6jS/LIXxayI\n0l4BbD6PKAu0vihO1Yrar8HaVX9ybafP48PN8cHGF23AELlFdxMZG94pBN4gzKBN\nxn2XtQSjI8xidnE2fEoZKA6YogDdK5Lig21RRFnRaoytJGtNCTIwYaG88WuObUHD\n=qwAT\n-----END PGP MESSAGE-----\n", | ||
| 30 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 31 | } | ||
| 32 | ], | ||
| 33 | "unencrypted_suffix": "_unencrypted", | ||
| 34 | "version": "3.7.1" | ||
| 35 | } | ||
| 36 | } \ No newline at end of file | ||
