From e8ea72d0393c90a13921407ed7998efdf4263b76 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 9 Oct 2021 10:57:24 +0200 Subject: yggdrasil-wg: ... --- modules/yggdrasil-wg/default.nix | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1fd7092c..9c58c9fe 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -6,6 +6,7 @@ let listenPort = 51820; subnet = "2a03:4000:52:ada:1"; subnetLength = 80; + hostLength = subnetLength + 16; links = [ { from = "vidhar"; @@ -21,7 +22,16 @@ let dynamicEndpointRefreshSeconds = 86400; } ]; - hostLength = subnetLength + 16; + routes = [ + { from = "sif"; + to = "vidhar"; + via = "surtr"; + } + { from = "vidhar"; + to = "sif"; + via = "surtr"; + } + ]; hostIPs = { surtr = ["${subnet}::/${toString hostLength}"]; vidhar = ["${subnet}:1::/${toString hostLength}"]; @@ -35,11 +45,12 @@ let privateKeyPath = mkPrivateKeyPath hostName; inNetwork = pathExists privateKeyPath && pathExists publicKeyPath; hostLinks = filter ({ from, to, ... }: from == hostName || to == hostName) links; + hostRoutes = filter ({ from, to, ... }: from == hostName || to == hostName) routes; linkToPeer = opts@{from, to, ...}: let other = if from == hostName then to else from; in { - allowedIPs = hostIPs.${other}; + allowedIPs = hostIPs.${other} ++ concatMap (rArgs: if rArgs.from != hostName || rArgs.via != to then [] else hostIPs.${rArgs.to}) routes; publicKey = trim (readFile (mkPublicKeyPath other)); } // (optionalAttrs (from == hostName) (filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])) opts // optionalAttrs (opts ? "endpointHost") { endpoint = "${opts.endpointHost}:${toString listenPort}"; })); @@ -64,7 +75,8 @@ in { peers = map linkToPeer hostLinks; privateKeyFile = config.sops.secrets."yggdrasil-wg.priv".path; postSetup = '' - ${pkgs.iproute2}/bin/ip route replace "${subnet}::/${toString subnetLength}" dev "yggdrasil" table "main" + ${concatMapStringsSep "\n" (linkArgs: let other = if linkArgs.from == hostName then linkArgs.to else linkArgs.from; in concatMapStringsSep "\n" (otherIP: "ip route replate \"${otherIP}\" dev \"yggdrasil\" table \"main\"") hostIPs.${other}) hostLinks} + ${concatMapStringsSep "\n" (routeArgs: let other = if routeArgs.from == hostName then routeArgs.to else routeArgs.from; in concatMapStringsSep "\n" (otherIP: concatMapStringsSep "\n" (viaIP: "ip route replate \"${otherIP}\" via \"${viaIP}\" dev \"yggdrasil\" table \"main\"") hostIPs.${routeArgs.via}) hostIPs.${other}) hostRoutes} ''; }; }; @@ -77,5 +89,9 @@ in { }; networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs))); + + boot.kernel.sysctl = mkIf (any ({via, ...}: via == hostName) routes) { + "net.ipv6.conf.yggdrasil.forwarding" = 1; + }; }; } -- cgit v1.2.3