From fd0d76cff24790194a27c8ed3ff47d83fedc8245 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 10 Oct 2021 14:11:18 +0200
Subject: yggdrasil-wg: ...
---
modules/yggdrasil-wg/default.nix | 31 ++++++++++++++++++++++++++++---
modules/yggdrasil-wg/udp2raw-secret | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 3 deletions(-)
create mode 100644 modules/yggdrasil-wg/udp2raw-secret
(limited to 'modules')
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index e7ecf709..db7780fb 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -86,7 +86,28 @@ in {
systemd.services = listToAttrs (filter ({ value, ...}: value != null) (imap0 (ix: opts@{to, from, ...}: let other = if from == hostName then to else from; in nameValuePair "yggdrasil-udp2raw@${other}" (if opts ? "endpointHost" && (from == hostName || to == hostName) then {
path = with pkgs; [iptables];
serviceConfig = {
- ExecStart = "${pkgs.udp2raw}/bin/udp2raw ${if from == hostName then "-c -l 127.0.0.1:${toString (udp2rawPort + ix)} -r ${opts.endpointHost}:${toString (udp2rawPort + ix)}" else "-s -l 0.0.0.0:${toString (udp2rawPort + ix)} -r 127.0.0.1:${toString listenPort}"} -k tmpkey --auth-mode hmac_sha1 --raw-mode faketcp -a";
+ RuntimeDirectory = ["config"];
+ ExecStartPre = pkgs.writeShellScript "udp2raw-mkconfig-${other}.sh" ''
+ secret=$(cat ${config.sops.secrets."yggdrasil-udp2raw-secret".path})
+ cat >''${RUNTIME_DIRECTORY}/udp2raw.conf <<EOF
+ ${if from == hostName then ''
+ -c
+ -l 127.0.0.1:${toString (udp2rawPort + ix)}
+ -r ${opts.endpointHost}:${toString (udp2rawPort + ix)}
+ '' else ''
+ -s
+ -l 0.0.0.0:${toString (udp2rawPort + ix)}
+ -r 127.0.0.1:${toString listenPort}
+ ''}
+ -k $secret
+ --auth-mode hmac_sha1
+ --raw-mode faketcp
+ -a
+ --retry-on-error
+ EOF
+ '';
+ ExecStart = "${pkgs.udp2raw}/bin/udp2raw --conf-file \${RUNTIME_DIRECTORY}/udp2raw.conf";
+ Restart = "always";
};
} else null)) links)) // {
"wireguard-yggdrasil" = {
@@ -96,11 +117,15 @@ in {
firewall.path = optionals isRouter [pkgs.procps];
};
- sops.secrets = mkIf (pathExists privateKeyPath) {
- "yggdrasil-wg.priv" = {
+ sops.secrets = {
+ "yggdrasil-wg.priv" = mkIf (pathExists privateKeyPath) {
format = "binary";
sopsFile = privateKeyPath;
};
+ "yggdrasil-udp2raw-secret" = mkIf (any (opts@{to, from, ...}: (to == hostName || from == hostName) && opts ? "endpointHost") links) {
+ format = "binary";
+ sopsFile = ./udp2raw-secret;
+ };
};
networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair hostIPs)));
diff --git a/modules/yggdrasil-wg/udp2raw-secret b/modules/yggdrasil-wg/udp2raw-secret
new file mode 100644
index 00000000..bed8de83
--- /dev/null
+++ b/modules/yggdrasil-wg/udp2raw-secret
@@ -0,0 +1,36 @@
+{
+ "data": "ENC[AES256_GCM,data:GOriV+Kb7gKgEBaqgN5XysKvJl9PbImG5ZdelRpdZcw9,iv:TmRuxpm7Hl3xEu/Zm+Tzl7/Jvg92DUiBlw5oT1p9XhU=,tag:UCKKpPDJ7jloplM5jsc9Dg==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2021-10-10T12:04:09Z",
+ "mac": "ENC[AES256_GCM,data:z0YkHarF33dgtWXCziVUmhDZPF9nMbnAb4fUGbg7e2w66Rv29lB2tTGd0mmAHku0ZO9BQ+b19zWslKUAcSxTRbtYx+BY/4QZBQ6kxeo3ujg9xFCqv28oc7Vf/MTnDXj/ViZP+twuw9jsHLQ5hY5N1Unh8/hTNS+lHq+Tiso8dcM=,iv:9pezJ4vFVokWcVcXzBT/jtJyicfDdykUHB9nZQ0V/74=,tag:wmXnYnd6//NAy/aWU9SMyg==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2021-10-10T12:04:08Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAEnoWy2jZG0Jf1+4G3heV7MTNlur4dqX5fSJZRN6khw8w\ngab9Z73+fCsYm0fmYBJ8EyHLLjhHKP4KiE5pwFW4dNu6XBcHtRHSptZK/zTMMStv\n0l4BCt7PF5q0dPatuqWZ0+2Ns8LSXT/YZVwUkvy3KS8UcZQq7xSwDdBqSTVc1lsz\nb6OI+b3sDHdmzK3MVHAgNEF74wx2or/ccbQT7n5EZxRkGoNbS9Fa7CY3DnJFVEkl\n=jCLU\n-----END PGP MESSAGE-----\n",
+ "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
+ },
+ {
+ "created_at": "2021-10-10T12:04:08Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAlsp51HC3CZphu7rZ1hdWk9NzUlkn0DzcWwQ7UcNd524w\nAI4RpCSmOdRy/dy8oMV+9Kv8YgqmChynN/kIgFkHbS5pdbBl50o2xzOhjB26WoJh\n0l4BbkK1QSZkzUCcQzlunqn5N3pvkCjPdBW2DOkAIrNwvEs7A8nPmrrn9AHQrLlq\nEdDYPkREA5TXftnhmu4BAQ01zsoKp2Ny6gAdHMBlLAcS4PM+ugdplYGBAlALtl2P\n=Zrhp\n-----END PGP MESSAGE-----\n",
+ "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+ },
+ {
+ "created_at": "2021-10-10T12:04:08Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdA7KxnxC4ZvSLm91bBavRzmTnJwq5Ed+XAPR3Xv1l4X3ww\nQjmDqbJB2av+PJCltta3I4LWh6SOMJ9AOjav6pBPrpFncqkTJoW3CoA9PA4SG4cC\n0l4BG37XFitMYEJdPliwoWcCBoCmKtRBlgwuY9yuyzkTE8pgzbYy+Wa9E7wZJsXD\n3rdziltY8/33Zx9bQvK0VnEsMIZHE3mHHItWcJ0pPUbIZH7QjetweB4oVhBo8CZu\n=PL3V\n-----END PGP MESSAGE-----\n",
+ "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+ },
+ {
+ "created_at": "2021-10-10T12:04:08Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAF2b1Qg/tPPI4Iyz8QutxrWlOetqN7HzkKEfhtfFO504w\nQtEf0ki8xXsnb03WLknONFFw9SXsTAy7d4xcCuYYbjSID0SwC9OsM6jS/LIXxayI\n0l4BbD6PKAu0vihO1Yrar8HaVX9ybafP48PN8cHGF23AELlFdxMZG94pBN4gzKBN\nxn2XtQSjI8xidnE2fEoZKA6YogDdK5Lig21RRFnRaoytJGtNCTIwYaG88WuObUHD\n=qwAT\n-----END PGP MESSAGE-----\n",
+ "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.7.1"
+ }
+}
\ No newline at end of file
--
cgit v1.2.3