diff options
| author | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-06-14 14:30:15 +0200 |
|---|---|---|
| committer | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-06-14 14:30:15 +0200 |
| commit | 5a744810e547d5cac47e0c6686b6a8abbadedc8a (patch) | |
| tree | 18bc534b1b10e5af32e1a229937cdc7ca718e10f | |
| parent | 5372b5ec96c7dba3cc7211daaf956a7e8e5be621 (diff) | |
wireguard: split subnet out (fix hosts), add extra allowedIPs
| -rw-r--r-- | modules/services/wireguard.nix | 27 | ||||
| -rw-r--r-- | profiles/wireguard.nix | 9 |
2 files changed, 27 insertions, 9 deletions
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 82d91e2..542f55b 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -22,19 +22,22 @@ in { default = {}; example = { jormungand = { - ip = "fd13:537e:dbbf:1210::1/64"; + ip = "fd13:537e:dbbf:1210::1"; endpoint = "jormungand.codewreck.org"; listenPort = 51733; publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ="; }; odin = { - ip = "fd13:537e:dbbf:1211::1/64"; + ip = "fd13:537e:dbbf:1210::2"; + subnet = "/128"; + allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ]; endpoint = "gaia.codewreck.org"; listenPort = 51432; publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8="; }; fenrir = { - ip = "fd13:537e:dbbf:1212::1/64"; + ip = "fd13:537e:dbbf:1210::3"; + allowedIPs = [ "fd13:537e:dbbf:1213::/64" "10.42.17.0/24" ]; publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ="; listenPort = 51123; keepalive = 55; @@ -45,6 +48,16 @@ in { description = "ip is used both to configure interface if target and for allowed IPs"; type = lib.types.str; }; + subnet = lib.mkOption { + description = "ip subnet prefix"; + default = null; + type = lib.types.nullOr lib.types.str; + }; + allowedIPs = lib.mkOption { + description = "extra list of allowed IPs for wg"; + default = []; + type = lib.types.listOf lib.types.str; + }; publicKey = lib.mkOption { description = "wg public key"; type = lib.types.str; @@ -59,7 +72,7 @@ in { type = lib.types.nullOr lib.types.str; }; keepalive = lib.mkOption { - description = "wg keepalive; set on all targets if present on current node"; + description = "wg keepalive for all peers if present on current machine"; default = null; type = lib.types.nullOr lib.types.int; }; @@ -71,7 +84,9 @@ in { current = builtins.getAttr cfg.hostname cfg.machines; others = builtins.removeAttrs cfg.machines [ cfg.hostname ]; peers = lib.mapAttrsToList (name: value: { - allowedIPs = [ value.ip ]; + allowedIPs = [ + (value.ip + (if value.subnet != null then value.subnet else "")) + ] ++ value.allowedIPs; publicKey = value.publicKey; endpoint = (if value.endpoint != null then value.endpoint + ":" + (toString value.listenPort) else null); persistentKeepalive = current.keepalive; @@ -83,7 +98,7 @@ in { in lib.mkIf cfg.enabled { networking.wireguard.interfaces.wg0 = { - ips = [ current.ip ]; + ips = [ (current.ip + (if current.subnet != null then current.subnet else "")) ]; listenPort = current.listenPort; privateKeyFile = "/etc/nixos/secrets/wg0.key"; peers = peers; diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix index 24a20d3..6b0a5a8 100644 --- a/profiles/wireguard.nix +++ b/profiles/wireguard.nix @@ -3,19 +3,22 @@ { services.codewreck.wireguard.machines = { jormungand = { - ip = "fd13:537e:dbbf:1210::1/64"; + ip = "fd13:537e:dbbf:1210::1"; endpoint = "jormungand.codewreck.org"; listenPort = 51733; publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ="; }; odin = { - ip = "fd13:537e:dbbf:1211::1/64"; + ip = "fd13:537e:dbbf:1210::2"; + subnet = "/128"; + allowedIPs = [ "fd13:537e:dbbf:1211::/64" "10.17.42.0/24" ]; endpoint = "gaia.codewreck.org"; listenPort = 51432; publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8="; }; fenrir = { - ip = "fd13:537e:dbbf:1212::1/64"; + ip = "fd13:537e:dbbf:1210::3"; + allowedIPs = [ "fd13:537e:dbbf:1213::/64" "10.42.17.0/24" ]; publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ="; listenPort = 51123; keepalive = 55; |