diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 14 | 
1 files changed, 12 insertions, 2 deletions
| diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 7502b3c7..e81fee84 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -46,6 +46,7 @@ let | |||
| 46 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 46 | inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; | 
| 47 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 47 | hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; | 
| 48 | hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; | 48 | hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; | 
| 49 | isRouter = inNetwork && any ({via, ...}: via == hostName) routes; | ||
| 49 | linkToPeer = opts@{from, to, ...}: | 50 | linkToPeer = opts@{from, to, ...}: | 
| 50 | let | 51 | let | 
| 51 | other = if from == hostName then to else from; | 52 | other = if from == hostName then to else from; | 
| @@ -90,8 +91,17 @@ in { | |||
| 90 | 91 | ||
| 91 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); | 92 | networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); | 
| 92 | 93 | ||
| 93 | boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) { | 94 | networking.firewall = mkIf isRouter { | 
| 94 | "net.ipv6.conf.yggdrasil.forwarding" = 1; | 95 | extraCommands = '' | 
| 96 | iptables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept | ||
| 97 | iptables -A FORWARD -j nixos-fw-log-refuse | ||
| 98 | sysctl net.ipv6.conf.all.forwarding=1 | ||
| 99 | ''; | ||
| 100 | extraStopCommands = '' | ||
| 101 | sysctl net.ipv6.conf.all.forwarding=0 | ||
| 102 | iptables -D FORWARD -j nixos-fw-log-refuse | ||
| 103 | iptables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept | ||
| 104 | ''; | ||
| 95 | }; | 105 | }; | 
| 96 | }; | 106 | }; | 
| 97 | } | 107 | } | 
