wireguard: add service & profile

5 files changed, 110 insertions, 2 deletions

diff --git a/machines/jormungand/network.nix b/machines/jormungand/network.nix
index 2ed1c37..8acf366 100644
--- a/machines/jormungand/network.nix
+++ b/machines/jormungand/network.nix
@@ -3,7 +3,7 @@
 {
   imports = [
     ../../profiles/dns.nix
-#    ../../profiles/wireguard.nix
+    ../../profiles/wireguard.nix
   ];
 
   networking.hostName = "jormungand.codewreck.org"; # Define your hostname.
diff --git a/machines/odin/configuration.nix b/machines/odin/configuration.nix
index 1b56ea6..0eaa23c 100644
--- a/machines/odin/configuration.nix
+++ b/machines/odin/configuration.nix
@@ -7,6 +7,7 @@
       ./network.nix
       ../../profiles/common.nix
       ../../profiles/users.nix
+      ../../profiles/wireguard.nix
       ../../profiles/zfs.nix
       ../../profiles/zramswap.nix
       ./nfs.nix
diff --git a/machines/odin/network.nix b/machines/odin/network.nix
index f27e2d1..87fa90c 100644
--- a/machines/odin/network.nix
+++ b/machines/odin/network.nix
@@ -8,7 +8,7 @@ in {
   networking.hostName = "odin"; # Define your hostname.
   networking.networkmanager = {
      enable = true;
-     unmanaged = [ "interface-name:wlp1s0_ap" "interface-name:wlp1s0" "interface-name:ppp0" ];
+     unmanaged = [ "interface-name:wlp1s0_ap" "interface-name:wlp1s0" "interface-name:ppp0" "interface-name:wg0" ];
   };
 
   services.dnsmasq.enable = true;
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
new file mode 100644
index 0000000..1a11c8c
--- /dev/null
+++ b/modules/services/wireguard.nix
@@ -0,0 +1,86 @@
+{ config, lib, ... }:
+
+let
+
+  cfg = config.services.codewreck.wireguard;
+
+in {
+  options.services.codewreck.wireguard = {
+    enabled = lib.mkOption {
+      description = "enabled (on by default if local machine description is found, don't blame me if you enable it without one)";
+      default = builtins.hasAttr cfg.hostname cfg.machines;
+      type = lib.types.bool;
+    };
+    hostname = lib.mkOption {
+      description = "short part of the hostname (select wireguard config from configs)";
+      # XXX do not hardcode domain
+      default = lib.removeSuffix ".codewreck.org" config.networking.hostName;
+      type = lib.types.str;
+    };
+    machines = lib.mkOption {
+      description = "attr of machine configuration";
+      default = {};
+      example = {
+        jormungand = {
+          ip = "fd13:537e:dbbf:1210::1";
+          endpoint = "jormungand.codewreck.org:51820";
+          publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ=";
+        };
+        odin = {
+          ip = "fd13:537e:dbbf:1211::1";
+          endpoint = "gaia.codewreck.org:51820";
+          publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8=";
+        };
+        fenrir = {
+          ip = "fd13:537e:dbbf:1212::1";
+          publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ=";
+          keepalive = 55;
+        };
+      };
+      type = lib.types.attrsOf (lib.types.submodule { options = {
+        ip = lib.mkOption {
+          description = "ip is used both to configure interface if target and for allowed IPs";
+          type = lib.types.str;
+        };
+        publicKey = lib.mkOption {
+	  description = "wg public key";
+          type = lib.types.str;
+        };
+        endpoint = lib.mkOption {
+	  description = "wg endpoint";
+	  default = null;
+          type = lib.types.nullOr lib.types.str;
+        };
+        keepalive = lib.mkOption {
+	  description = "wg keepalive; set on all targets if present on current node";
+	  default = null;
+          type = lib.types.nullOr lib.types.int;
+        };
+      };});
+    };
+  };
+
+  config = let
+    current = builtins.getAttr cfg.hostname cfg.machines;
+    others = builtins.removeAttrs cfg.machines [ cfg.hostname ];
+    peers = lib.mapAttrsToList (name: value: {
+      allowedIPs = [ value.ip ];
+      publicKey = value.publicKey;
+      endpoint = value.endpoint or null;
+      persistentKeepalive = current.keepalive or null;
+    }) others;
+
+    hosts = lib.mapAttrs' (name: value: lib.attrsets.nameValuePair
+      value.ip [ (name + ".codewreck.org") name ]
+    ) others;
+  in
+    lib.mkIf cfg.enabled {
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ current.ip ];
+        privateKeyFile = "/etc/nixos/secrets/wg0.key";
+        peers = peers;
+      };
+      #networking.hosts = hosts;
+      #networking.firewall.allowedUDPPorts = [ 51820 ];
+    };
+}
diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix
new file mode 100644
index 0000000..a5dda36
--- /dev/null
+++ b/profiles/wireguard.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+{
+  services.codewreck.wireguard.machines = {
+    jormungand = {
+      ip = "fd13:537e:dbbf:1210::1/64";
+      endpoint = "jormungand.codewreck.org:51820";
+      publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ=";
+    };
+    odin = {
+      ip = "fd13:537e:dbbf:1211::1/64";
+      endpoint = "gaia.codewreck.org:51820";
+      publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8=";
+    };
+    fenrir = {
+      ip = "fd13:537e:dbbf:1212::1/64";
+      publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ=";
+      keepalive = 55;
+    };
+  };
+}