summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-06-14 18:58:21 +0200
committerDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-06-14 18:58:21 +0200
commit201ce97c31d0678f3c3235ecd294f03c73e23212 (patch)
tree5248a6926de6d7357ec8e60f775aa91b02cd82c5
parent5a744810e547d5cac47e0c6686b6a8abbadedc8a (diff)
wireguard: genericify domain simplification; remove subnet option
-rw-r--r--machines/jormungand/network.nix5
-rw-r--r--machines/odin/network.nix1
-rw-r--r--modules/services/wireguard.nix22
-rw-r--r--profiles/wireguard.nix11
4 files changed, 22 insertions, 17 deletions
diff --git a/machines/jormungand/network.nix b/machines/jormungand/network.nix
index 8acf366..a705c86 100644
--- a/machines/jormungand/network.nix
+++ b/machines/jormungand/network.nix
@@ -6,7 +6,10 @@
../../profiles/wireguard.nix
];
- networking.hostName = "jormungand.codewreck.org"; # Define your hostname.
+ networking.hostName = "jormungand.codewreck.org";
+ networking.domain = "codewreck.org";
+
+ boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
networking = {
useDHCP = false;
diff --git a/machines/odin/network.nix b/machines/odin/network.nix
index 28cf13f..15483c8 100644
--- a/machines/odin/network.nix
+++ b/machines/odin/network.nix
@@ -35,6 +35,7 @@ in {
services.dnsmasq.resolveLocalQueries = false;
networking.nameservers = [ "127.0.0.1" ];
networking.search = [ "codewreck.org" ];
+ networking.domain = "codewreck.org";
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.netfilter.nf_conntrack_tcp_be_liberal" = "1";
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
index 542f55b..f719a47 100644
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -11,10 +11,14 @@ in {
default = builtins.hasAttr cfg.hostname cfg.machines;
type = lib.types.bool;
};
+ domain = lib.mkOption {
+ description = "domain (used to shorten hosts for config and /etc/hosts";
+ default = config.networking.domain;
+ type = lib.types.str;
+ };
hostname = lib.mkOption {
description = "short part of the hostname (select wireguard config from configs)";
- # XXX do not hardcode domain
- default = lib.removeSuffix ".codewreck.org" config.networking.hostName;
+ default = lib.removeSuffix ".${cfg.domain}" config.networking.hostName;
type = lib.types.str;
};
machines = lib.mkOption {
@@ -29,7 +33,6 @@ in {
};
odin = {
ip = "fd13:537e:dbbf:1210::2";
- subnet = "/128";
allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ];
endpoint = "gaia.codewreck.org";
listenPort = 51432;
@@ -48,11 +51,6 @@ in {
description = "ip is used both to configure interface if target and for allowed IPs";
type = lib.types.str;
};
- subnet = lib.mkOption {
- description = "ip subnet prefix";
- default = null;
- type = lib.types.nullOr lib.types.str;
- };
allowedIPs = lib.mkOption {
description = "extra list of allowed IPs for wg";
default = [];
@@ -84,21 +82,19 @@ in {
current = builtins.getAttr cfg.hostname cfg.machines;
others = builtins.removeAttrs cfg.machines [ cfg.hostname ];
peers = lib.mapAttrsToList (name: value: {
- allowedIPs = [
- (value.ip + (if value.subnet != null then value.subnet else ""))
- ] ++ value.allowedIPs;
+ allowedIPs = [ value.ip ] ++ value.allowedIPs;
publicKey = value.publicKey;
endpoint = (if value.endpoint != null then value.endpoint + ":" + (toString value.listenPort) else null);
persistentKeepalive = current.keepalive;
}) others;
hosts = lib.mapAttrs' (name: value: lib.attrsets.nameValuePair
- value.ip [ (name + ".codewreck.org") name ]
+ (builtins.head (builtins.split "/" value.ip)) [ (name + ".${cfg.domain}") name ]
) others;
in
lib.mkIf cfg.enabled {
networking.wireguard.interfaces.wg0 = {
- ips = [ (current.ip + (if current.subnet != null then current.subnet else "")) ];
+ ips = [ current.ip ];
listenPort = current.listenPort;
privateKeyFile = "/etc/nixos/secrets/wg0.key";
peers = peers;
diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix
index 6b0a5a8..370abf7 100644
--- a/profiles/wireguard.nix
+++ b/profiles/wireguard.nix
@@ -10,7 +10,6 @@
};
odin = {
ip = "fd13:537e:dbbf:1210::2";
- subnet = "/128";
allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ];
endpoint = "gaia.codewreck.org";
listenPort = 51432;
@@ -20,8 +19,14 @@
ip = "fd13:537e:dbbf:1210::3";
allowedIPs = [ "fd13:537e:dbbf:1213::/64" "10.42.17.0/24" ];
publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ=";
- listenPort = 51123;
- keepalive = 55;
+ };
+ heidrun-sigyn = {
+ ip = "fd13:537e:dbbf:1210::4";
+ publicKey = "58jTSCPOyUT4FiaL53FoeNhunPXbTe3gVtTumkeTFmY=";
+ };
+ heidrun-laptop = {
+ ip = "fd13:537e:dbbf:1210::5";
+ publicKey = "r7Nt1jvrG13CGbkFYT32a8MygKw6G7rGtOLJ81oKxVM=";
};
};
}