diff options
author | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-06-14 18:58:21 +0200 |
---|---|---|
committer | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-06-14 18:58:21 +0200 |
commit | 201ce97c31d0678f3c3235ecd294f03c73e23212 (patch) | |
tree | 5248a6926de6d7357ec8e60f775aa91b02cd82c5 | |
parent | 5a744810e547d5cac47e0c6686b6a8abbadedc8a (diff) |
wireguard: genericify domain simplification; remove subnet option
-rw-r--r-- | machines/jormungand/network.nix | 5 | ||||
-rw-r--r-- | machines/odin/network.nix | 1 | ||||
-rw-r--r-- | modules/services/wireguard.nix | 22 | ||||
-rw-r--r-- | profiles/wireguard.nix | 11 |
4 files changed, 22 insertions, 17 deletions
diff --git a/machines/jormungand/network.nix b/machines/jormungand/network.nix index 8acf366..a705c86 100644 --- a/machines/jormungand/network.nix +++ b/machines/jormungand/network.nix @@ -6,7 +6,10 @@ ../../profiles/wireguard.nix ]; - networking.hostName = "jormungand.codewreck.org"; # Define your hostname. + networking.hostName = "jormungand.codewreck.org"; + networking.domain = "codewreck.org"; + + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; networking = { useDHCP = false; diff --git a/machines/odin/network.nix b/machines/odin/network.nix index 28cf13f..15483c8 100644 --- a/machines/odin/network.nix +++ b/machines/odin/network.nix @@ -35,6 +35,7 @@ in { services.dnsmasq.resolveLocalQueries = false; networking.nameservers = [ "127.0.0.1" ]; networking.search = [ "codewreck.org" ]; + networking.domain = "codewreck.org"; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; boot.kernel.sysctl."net.netfilter.nf_conntrack_tcp_be_liberal" = "1"; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 542f55b..f719a47 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -11,10 +11,14 @@ in { default = builtins.hasAttr cfg.hostname cfg.machines; type = lib.types.bool; }; + domain = lib.mkOption { + description = "domain (used to shorten hosts for config and /etc/hosts"; + default = config.networking.domain; + type = lib.types.str; + }; hostname = lib.mkOption { description = "short part of the hostname (select wireguard config from configs)"; - # XXX do not hardcode domain - default = lib.removeSuffix ".codewreck.org" config.networking.hostName; + default = lib.removeSuffix ".${cfg.domain}" config.networking.hostName; type = lib.types.str; }; machines = lib.mkOption { @@ -29,7 +33,6 @@ in { }; odin = { ip = "fd13:537e:dbbf:1210::2"; - subnet = "/128"; allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ]; endpoint = "gaia.codewreck.org"; listenPort = 51432; @@ -48,11 +51,6 @@ in { description = "ip is used both to configure interface if target and for allowed IPs"; type = lib.types.str; }; - subnet = lib.mkOption { - description = "ip subnet prefix"; - default = null; - type = lib.types.nullOr lib.types.str; - }; allowedIPs = lib.mkOption { description = "extra list of allowed IPs for wg"; default = []; @@ -84,21 +82,19 @@ in { current = builtins.getAttr cfg.hostname cfg.machines; others = builtins.removeAttrs cfg.machines [ cfg.hostname ]; peers = lib.mapAttrsToList (name: value: { - allowedIPs = [ - (value.ip + (if value.subnet != null then value.subnet else "")) - ] ++ value.allowedIPs; + allowedIPs = [ value.ip ] ++ value.allowedIPs; publicKey = value.publicKey; endpoint = (if value.endpoint != null then value.endpoint + ":" + (toString value.listenPort) else null); persistentKeepalive = current.keepalive; }) others; hosts = lib.mapAttrs' (name: value: lib.attrsets.nameValuePair - value.ip [ (name + ".codewreck.org") name ] + (builtins.head (builtins.split "/" value.ip)) [ (name + ".${cfg.domain}") name ] ) others; in lib.mkIf cfg.enabled { networking.wireguard.interfaces.wg0 = { - ips = [ (current.ip + (if current.subnet != null then current.subnet else "")) ]; + ips = [ current.ip ]; listenPort = current.listenPort; privateKeyFile = "/etc/nixos/secrets/wg0.key"; peers = peers; diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix index 6b0a5a8..370abf7 100644 --- a/profiles/wireguard.nix +++ b/profiles/wireguard.nix @@ -10,7 +10,6 @@ }; odin = { ip = "fd13:537e:dbbf:1210::2"; - subnet = "/128"; allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ]; endpoint = "gaia.codewreck.org"; listenPort = 51432; @@ -20,8 +19,14 @@ ip = "fd13:537e:dbbf:1210::3"; allowedIPs = [ "fd13:537e:dbbf:1213::/64" "10.42.17.0/24" ]; publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ="; - listenPort = 51123; - keepalive = 55; + }; + heidrun-sigyn = { + ip = "fd13:537e:dbbf:1210::4"; + publicKey = "58jTSCPOyUT4FiaL53FoeNhunPXbTe3gVtTumkeTFmY="; + }; + heidrun-laptop = { + ip = "fd13:537e:dbbf:1210::5"; + publicKey = "r7Nt1jvrG13CGbkFYT32a8MygKw6G7rGtOLJ81oKxVM="; }; }; } |