From 41e0950db253bed0bdf6fb9e2f9cc72c355c0e36 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 23 Oct 2021 16:11:35 +0200
Subject: yggdrasil-wg: no udp2raw

---
 modules/yggdrasil-wg/default.nix    | 45 ++++---------------------------------
 modules/yggdrasil-wg/udp2raw-secret | 36 -----------------------------
 2 files changed, 4 insertions(+), 77 deletions(-)
 delete mode 100644 modules/yggdrasil-wg/udp2raw-secret

(limited to 'modules/yggdrasil-wg')

diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 5a20c76f..49acb76e 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -4,7 +4,6 @@ with lib;
 
 let
   listenPort = 51820;
-  udp2rawPort = 51821;
   wgSubnet = "2a03:4000:52:ada:1";
   wgSubnetLength = 80;
   wgHostLength = wgSubnetLength + 16;
@@ -16,13 +15,11 @@ let
     { from = "vidhar";
       to = "surtr";
       endpointHost = "202.61.241.61";
-      udp2raw = true;
       PersistentKeepalive = 25;
     }
     { from = "sif";
       to = "surtr";
       endpointHost = "202.61.241.61";
-      # udp2raw = true;
       PersistentKeepalive = 25;
     }
     { from = "sif";
@@ -67,7 +64,9 @@ let
     in {
       AllowedIPs = wgHostIPs.${other};
       PublicKey = trim (readFile (mkPublicKeyPath other));
-    } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost" "udp2raw"])) opts // optionalAttrs (opts ? "endpointHost" && from == hostName) (if opts ? "udp2raw" then { Endpoint = "127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}"; } else { Endpoint = "${opts.endpointHost}:${toString listenPort}"; })));
+    } // (optionalAttrs (from == hostName) (linkCfgFilterCustom opts // linkMkEndpointCfg opts));
+  linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"]));
+  linkMkEndpointCfg = opts@{from, ...}: optionalAttrs (opts ? "endpointHost" && from == hostName) { Endpoint = "${opts.endpointHost}:${toString listenPort}"; };
   linkToGreDev = opts@{from, to, ...}:
     let
       other = if from == hostName then to else from;
@@ -104,7 +103,7 @@ let
     withOpts = listToAttrs (imap0 (ix: x: nameValuePair x.name (x.value // { ${optName} = ix; })) (filter (x: x.value.${optName} or false) (imap0 (ix: nameValuePair (toString ix)) xs)));
     withoutOpts = listToAttrs (map (nv: nameValuePair nv.name (removeAttrs nv.value [optName])) (filter (x: !(x.value.${optName} or false)) (imap0 (ix: nameValuePair (toString ix)) xs)));
   in genList (ix: withOpts.${toString ix} or withoutOpts.${toString ix}) (length xs);
-  mkLinks = optIx "udp2raw";
+  mkLinks = id;
   toHexByte = n: let
     hex = toHexString n;
   in if (stringLength hex < 2) then "0${hex}" else hex;
@@ -181,38 +180,6 @@ in {
       } // listToAttrs (imap0 linkToGreNetwork hostLinks);
     };
 
-    systemd.services = listToAttrs (filter ({ value, ...}: value != null) (map (opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && opts ? "udp2raw" then {
-      path = with pkgs; [iptables];
-      wantedBy = [ "network.target" ];
-      serviceConfig = {
-        RuntimeDirectory = ["udp2raw-config-${other}"];
-        RuntimeDirectoryMode = "0700";
-        ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" ''
-          umask 0077
-          secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path})
-          cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF
-          ${if from == hostName then ''
-            -c
-            -l 127.0.0.1:${toString (udp2rawPort + opts.udp2raw)}
-            -r ${opts.endpointHost}:${toString (udp2rawPort + opts.udp2raw)}
-          '' else ''
-            -s
-            -l 0.0.0.0:${toString (udp2rawPort + opts.udp2raw)}
-            -r 127.0.0.1:${toString listenPort}
-          ''}
-          -k $secret
-          --auth-mode hmac_sha1
-          --raw-mode faketcp
-          --seq-mode 4
-          -a
-          --retry-on-error
-          EOF
-        '';
-        ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf";
-        Restart = "always";
-      };
-    } else null)) hostLinks));
-
     sops.secrets = {
       "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
         format = "binary";
@@ -221,10 +188,6 @@ in {
         owner = "root";
         group = "systemd-network";
       };
-      "yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: opts ? "endpointHost" && opts ? "udp2raw") hostLinks) {
-        format = "binary";
-        sopsFile = ./udp2raw-secret;
-      };
     };
 
     networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs)));
diff --git a/modules/yggdrasil-wg/udp2raw-secret b/modules/yggdrasil-wg/udp2raw-secret
deleted file mode 100644
index bed8de83..00000000
--- a/modules/yggdrasil-wg/udp2raw-secret
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:GOriV+Kb7gKgEBaqgN5XysKvJl9PbImG5ZdelRpdZcw9,iv:TmRuxpm7Hl3xEu/Zm+Tzl7/Jvg92DUiBlw5oT1p9XhU=,tag:UCKKpPDJ7jloplM5jsc9Dg==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": null,
-		"lastmodified": "2021-10-10T12:04:09Z",
-		"mac": "ENC[AES256_GCM,data:z0YkHarF33dgtWXCziVUmhDZPF9nMbnAb4fUGbg7e2w66Rv29lB2tTGd0mmAHku0ZO9BQ+b19zWslKUAcSxTRbtYx+BY/4QZBQ6kxeo3ujg9xFCqv28oc7Vf/MTnDXj/ViZP+twuw9jsHLQ5hY5N1Unh8/hTNS+lHq+Tiso8dcM=,iv:9pezJ4vFVokWcVcXzBT/jtJyicfDdykUHB9nZQ0V/74=,tag:wmXnYnd6//NAy/aWU9SMyg==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2021-10-10T12:04:08Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAEnoWy2jZG0Jf1+4G3heV7MTNlur4dqX5fSJZRN6khw8w\ngab9Z73+fCsYm0fmYBJ8EyHLLjhHKP4KiE5pwFW4dNu6XBcHtRHSptZK/zTMMStv\n0l4BCt7PF5q0dPatuqWZ0+2Ns8LSXT/YZVwUkvy3KS8UcZQq7xSwDdBqSTVc1lsz\nb6OI+b3sDHdmzK3MVHAgNEF74wx2or/ccbQT7n5EZxRkGoNbS9Fa7CY3DnJFVEkl\n=jCLU\n-----END PGP MESSAGE-----\n",
-				"fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
-			},
-			{
-				"created_at": "2021-10-10T12:04:08Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAlsp51HC3CZphu7rZ1hdWk9NzUlkn0DzcWwQ7UcNd524w\nAI4RpCSmOdRy/dy8oMV+9Kv8YgqmChynN/kIgFkHbS5pdbBl50o2xzOhjB26WoJh\n0l4BbkK1QSZkzUCcQzlunqn5N3pvkCjPdBW2DOkAIrNwvEs7A8nPmrrn9AHQrLlq\nEdDYPkREA5TXftnhmu4BAQ01zsoKp2Ny6gAdHMBlLAcS4PM+ugdplYGBAlALtl2P\n=Zrhp\n-----END PGP MESSAGE-----\n",
-				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
-			},
-			{
-				"created_at": "2021-10-10T12:04:08Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdA7KxnxC4ZvSLm91bBavRzmTnJwq5Ed+XAPR3Xv1l4X3ww\nQjmDqbJB2av+PJCltta3I4LWh6SOMJ9AOjav6pBPrpFncqkTJoW3CoA9PA4SG4cC\n0l4BG37XFitMYEJdPliwoWcCBoCmKtRBlgwuY9yuyzkTE8pgzbYy+Wa9E7wZJsXD\n3rdziltY8/33Zx9bQvK0VnEsMIZHE3mHHItWcJ0pPUbIZH7QjetweB4oVhBo8CZu\n=PL3V\n-----END PGP MESSAGE-----\n",
-				"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
-			},
-			{
-				"created_at": "2021-10-10T12:04:08Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAF2b1Qg/tPPI4Iyz8QutxrWlOetqN7HzkKEfhtfFO504w\nQtEf0ki8xXsnb03WLknONFFw9SXsTAy7d4xcCuYYbjSID0SwC9OsM6jS/LIXxayI\n0l4BbD6PKAu0vihO1Yrar8HaVX9ybafP48PN8cHGF23AELlFdxMZG94pBN4gzKBN\nxn2XtQSjI8xidnE2fEoZKA6YogDdK5Lig21RRFnRaoytJGtNCTIwYaG88WuObUHD\n=qwAT\n-----END PGP MESSAGE-----\n",
-				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.1"
-	}
-}
\ No newline at end of file
-- 
cgit v1.2.3