diff options
author | Dominique Martinet @ odin <asmadeus@codewreck.org> | 2020-06-14 09:42:53 +0200 |
---|---|---|
committer | Dominique Martinet @ odin <asmadeus@codewreck.org> | 2020-06-14 09:43:57 +0200 |
commit | f04f346457c49c3882987b1399894b82889507ae (patch) | |
tree | dc4e9ce31e78f2348bcbdf2133d46bbe69eeb43b | |
parent | ab1a203adcb3b11b0a18dbf5ba594c6afeba3072 (diff) |
wireguard: add service & profile
-rw-r--r-- | machines/jormungand/network.nix | 2 | ||||
-rw-r--r-- | machines/odin/configuration.nix | 1 | ||||
-rw-r--r-- | machines/odin/network.nix | 2 | ||||
-rw-r--r-- | modules/services/wireguard.nix | 86 | ||||
-rw-r--r-- | profiles/wireguard.nix | 21 |
5 files changed, 110 insertions, 2 deletions
diff --git a/machines/jormungand/network.nix b/machines/jormungand/network.nix index 2ed1c37..8acf366 100644 --- a/machines/jormungand/network.nix +++ b/machines/jormungand/network.nix @@ -3,7 +3,7 @@ { imports = [ ../../profiles/dns.nix -# ../../profiles/wireguard.nix + ../../profiles/wireguard.nix ]; networking.hostName = "jormungand.codewreck.org"; # Define your hostname. diff --git a/machines/odin/configuration.nix b/machines/odin/configuration.nix index 1b56ea6..0eaa23c 100644 --- a/machines/odin/configuration.nix +++ b/machines/odin/configuration.nix @@ -7,6 +7,7 @@ ./network.nix ../../profiles/common.nix ../../profiles/users.nix + ../../profiles/wireguard.nix ../../profiles/zfs.nix ../../profiles/zramswap.nix ./nfs.nix diff --git a/machines/odin/network.nix b/machines/odin/network.nix index f27e2d1..87fa90c 100644 --- a/machines/odin/network.nix +++ b/machines/odin/network.nix @@ -8,7 +8,7 @@ in { networking.hostName = "odin"; # Define your hostname. networking.networkmanager = { enable = true; - unmanaged = [ "interface-name:wlp1s0_ap" "interface-name:wlp1s0" "interface-name:ppp0" ]; + unmanaged = [ "interface-name:wlp1s0_ap" "interface-name:wlp1s0" "interface-name:ppp0" "interface-name:wg0" ]; }; services.dnsmasq.enable = true; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix new file mode 100644 index 0000000..1a11c8c --- /dev/null +++ b/modules/services/wireguard.nix @@ -0,0 +1,86 @@ +{ config, lib, ... }: + +let + + cfg = config.services.codewreck.wireguard; + +in { + options.services.codewreck.wireguard = { + enabled = lib.mkOption { + description = "enabled (on by default if local machine description is found, don't blame me if you enable it without one)"; + default = builtins.hasAttr cfg.hostname cfg.machines; + type = lib.types.bool; + }; + hostname = lib.mkOption { + description = "short part of the hostname (select wireguard config from configs)"; + # XXX do not hardcode domain + default = lib.removeSuffix ".codewreck.org" config.networking.hostName; + type = lib.types.str; + }; + machines = lib.mkOption { + description = "attr of machine configuration"; + default = {}; + example = { + jormungand = { + ip = "fd13:537e:dbbf:1210::1"; + endpoint = "jormungand.codewreck.org:51820"; + publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ="; + }; + odin = { + ip = "fd13:537e:dbbf:1211::1"; + endpoint = "gaia.codewreck.org:51820"; + publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8="; + }; + fenrir = { + ip = "fd13:537e:dbbf:1212::1"; + publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ="; + keepalive = 55; + }; + }; + type = lib.types.attrsOf (lib.types.submodule { options = { + ip = lib.mkOption { + description = "ip is used both to configure interface if target and for allowed IPs"; + type = lib.types.str; + }; + publicKey = lib.mkOption { + description = "wg public key"; + type = lib.types.str; + }; + endpoint = lib.mkOption { + description = "wg endpoint"; + default = null; + type = lib.types.nullOr lib.types.str; + }; + keepalive = lib.mkOption { + description = "wg keepalive; set on all targets if present on current node"; + default = null; + type = lib.types.nullOr lib.types.int; + }; + };}); + }; + }; + + config = let + current = builtins.getAttr cfg.hostname cfg.machines; + others = builtins.removeAttrs cfg.machines [ cfg.hostname ]; + peers = lib.mapAttrsToList (name: value: { + allowedIPs = [ value.ip ]; + publicKey = value.publicKey; + endpoint = value.endpoint or null; + persistentKeepalive = current.keepalive or null; + }) others; + + hosts = lib.mapAttrs' (name: value: lib.attrsets.nameValuePair + value.ip [ (name + ".codewreck.org") name ] + ) others; + in + lib.mkIf cfg.enabled { + networking.wireguard.interfaces.wg0 = { + ips = [ current.ip ]; + privateKeyFile = "/etc/nixos/secrets/wg0.key"; + peers = peers; + }; + #networking.hosts = hosts; + #networking.firewall.allowedUDPPorts = [ 51820 ]; + }; +} diff --git a/profiles/wireguard.nix b/profiles/wireguard.nix new file mode 100644 index 0000000..a5dda36 --- /dev/null +++ b/profiles/wireguard.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: + +{ + services.codewreck.wireguard.machines = { + jormungand = { + ip = "fd13:537e:dbbf:1210::1/64"; + endpoint = "jormungand.codewreck.org:51820"; + publicKey = "Hx5RnhfyP91LEgXAn4pLiOm4nMRZvVx+rsX0YhVzqAQ="; + }; + odin = { + ip = "fd13:537e:dbbf:1211::1/64"; + endpoint = "gaia.codewreck.org:51820"; + publicKey = "7YALjkbDv6iId1VHJu4uTgVAj41VvAoQfaiVChJdZQ8="; + }; + fenrir = { + ip = "fd13:537e:dbbf:1212::1/64"; + publicKey = "SrLUKqoxYxFriLDenMwNHLqetxVCLmyCG606hg3h9mQ="; + keepalive = 55; + }; + }; +} |