From 7085030e4ad9c1d723a2afbff73bb9d0798c2370 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 17 Oct 2021 21:59:50 +0200 Subject: yggdrasil-wg: ... --- modules/yggdrasil-wg/default.nix | 39 +-------------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index a09b1d99..86e2b98a 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -56,13 +56,11 @@ let privateKeyPath = mkPrivateKeyPath hostName; inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; - # hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; - # isRouter = inNetwork && any ({via, ...}: via == hostName) routes; linkToPeer = opts@{from, to, ...}: let other = if from == hostName then to else from; in { - AllowedIPs = wgHostIPs.${other}; # ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else wgHostIPs.${rArgs.to}) routes; + AllowedIPs = wgHostIPs.${other}; PublicKey = trim (readFile (mkPublicKeyPath other)); } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; }))); linkToGreDev = opts@{from, to, ...}: @@ -180,21 +178,6 @@ in { } // listToAttrs (imap0 linkToGreNetwork hostLinks); }; - # networking.wireguard.interfaces = mkIf inNetwork { - # yggdrasil = { - # allowedIPsAsRoutes = false; - # inherit listenPort; - # ips = wgHostIPs.${hostName}; - # peers = filter (value: value != null) (map (opts@{to, from, ...}: if from == hostName || to == hostName then linkToPeer opts else null) links); - # privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; - # postSetup = '' - # ip li set mtu 1280 dev yggdrasil - # ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replace \"${otherIP}\" dev \"yggdrasil\" table \"main\"") wgHostIPs.${other}) hostLinks} - # ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replace \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") (map stripSubnet wgHostIPs.${routeArgs.via})) wgHostIPs.${other}) hostRoutes} - # ''; - # }; - # }; - systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then { path = with pkgs; [iptables]; serviceConfig = { @@ -225,13 +208,6 @@ in { Restart = "always"; }; } else null)) hostLinks)); - # // { - # "wireguard-yggdrasil" = { - # bindsTo = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); - # after = filter (value: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in if opts ? "endpointHost" && opts ? "udp2raw" then "yggdrasil-udp2raw@${other}.service" else null) hostLinks); - # }; - # firewall.path = optionals isRouter [pkgs.procps]; - # }; sops.secrets = { "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) { @@ -249,19 +225,6 @@ in { networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs))); - # networking.firewall = mkIf isRouter { - # extraCommands = '' - # ip6tables -A FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept - # ip46tables -A FORWARD -j nixos-fw-log-refuse - # sysctl net.ipv6.conf.all.forwarding=1 - # ''; - # extraStopCommands = '' - # sysctl net.ipv6.conf.all.forwarding=0 - # ip46tables -D FORWARD -j nixos-fw-log-refuse || true - # ip6tables -D FORWARD -i yggdrasil -o yggdrasil -j nixos-fw-accept || true - # ''; - # }; - boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; }; -- cgit v1.2.3