nix-config/modules/TLMS/wg.nix

{ lib, config, self, ... }:
let
  cfg = config.deployment-TLMS.net.wg;
in {
    options.deployment-TLMS.net.wg = with lib; {

      ownEndpoint.host = mkOption {
        type = types.nullOr types.str;
        default = null;
      };
      ownEndpoint.port = mkOption {
        type = types.port;
        default = 51820;
      };

      publicKey = mkOption {
        type = types.str;
        default = "";
        description = "own public key";
      };
      privateKeyFile = mkOption {
        type = types.either types.str types.path;
      };
      addr4 = mkOption {
        type = types.nullOr types.str;
        default = null;
      };

      prefix4 = mkOption {
        type = types.int;
        default = 24;
        description = "network prefix";
      };

      extraPeers = mkOption {
        description = "extra peers that are not part of the deployment";
        type = types.listOf (types.submodule {
          options.addr4 = mkOption {
            type = types.str;
            description = "ip _without_ a network prefix";
          };
          options.publicKey = mkOption {
            type = types.str;
            description = "public key";
          };
        });
      };
    };

    config = let
      # move out as options?
      dvbwg-name = "wg-ddvb";
      keepalive = 25;

      # helpers
      peer-systems = (lib.filter (x: (x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-TLMS.net.wg.addr4))
      (lib.attrValues self.nixosConfigurations));

      endpoint =
        let
          ep = (lib.filter (x:
          x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4
          && (!isNull x.config.deployment-TLMS.net.wg.ownEndpoint.host))
          (lib.attrValues self.nixosConfigurations));
        in
        assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;

         peers = map (x: {
          wireguardPeerConfig = {
            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/32" ];
            PersistentKeepalive = keepalive;
          };
        }) peer-systems;

        ep = [ {
          wireguardPeerConfig =
            let x = lib.elemAt endpoint 0; in {
            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/${toString cfg.prefix4}" ];
            Endpoint = with x.config.deployment-TLMS.net.wg.ownEndpoint; "${host}:${toString port}";
            PersistentKeepalive = keepalive;
          };
        } ];

      # stuff proper
      dvbwg-netdev = {
        Kind = "wireguard";
        Name = dvbwg-name;
        Description = "TLMS enterprise, highly available, biocomputing-neural-network maintained, converged network";
      };

      dvbwg-wireguard = {
        PrivateKeyFile = cfg.privateKeyFile;
      } //
        (if !isNull cfg.ownEndpoint.host then { ListenPort = cfg.ownEndpoint.port; } else {});

      expeers = map (x: {
        wireguardPeerConfig = {
          PublicKey = x.publicKey;
          AllowedIPs = [ "${x.addr4}/32" ];
          PersistentKeepalive = keepalive;
        };
      }) cfg.extraPeers;

      peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers);
    in
    lib.mkIf (!isNull cfg.addr4) {
      networking.wireguard.enable = true;

      networking.firewall.trustedInterfaces = [ dvbwg-name ];

      systemd.network.netdevs."30-${dvbwg-name}" = {
        netdevConfig = dvbwg-netdev;
        wireguardConfig = dvbwg-wireguard;
        wireguardPeers = peerconf;
      };
    systemd.network.networks."30-${dvbwg-name}" = {
      matchConfig.Name = dvbwg-name;
      networkConfig = {
        Address = "${cfg.addr4}/${toString cfg.prefix4}";
      };
    };
  };
}
move to networkd 2022-10-02 21:39:37 +02:00			`{ lib, config, self, ... }:`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`let`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`cfg = config.deployment-TLMS.net.wg;`
move to networkd 2022-10-02 21:39:37 +02:00			`in {`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`options.deployment-TLMS.net.wg = with lib; {`
move to networkd 2022-10-02 21:39:37 +02:00
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`ownEndpoint.host = mkOption {`
move to networkd 2022-10-02 21:39:37 +02:00			`type = types.nullOr types.str;`
			`default = null;`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`};`
			`ownEndpoint.port = mkOption {`
			`type = types.port;`
move to networkd 2022-10-02 21:39:37 +02:00			`default = 51820;`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`};`
move to networkd 2022-10-02 21:39:37 +02:00
			`publicKey = mkOption {`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`type = types.str;`
			`default = "";`
move to networkd 2022-10-02 21:39:37 +02:00			`description = "own public key";`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`};`
			`privateKeyFile = mkOption {`
			`type = types.either types.str types.path;`
			`};`
			`addr4 = mkOption {`
move to networkd 2022-10-02 21:39:37 +02:00			`type = types.nullOr types.str;`
			`default = null;`
			`};`

			`prefix4 = mkOption {`
			`type = types.int;`
			`default = 24;`
			`description = "network prefix";`
			`};`

			`extraPeers = mkOption {`
			`description = "extra peers that are not part of the deployment";`
			`type = types.listOf (types.submodule {`
			`options.addr4 = mkOption {`
			`type = types.str;`
			`description = "ip _without_ a network prefix";`
			`};`
			`options.publicKey = mkOption {`
			`type = types.str;`
			`description = "public key";`
			`};`
			`});`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`};`
			`};`

			`config = let`
move to networkd 2022-10-02 21:39:37 +02:00			`# move out as options?`
			`dvbwg-name = "wg-ddvb";`
			`keepalive = 25;`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00
move to networkd 2022-10-02 21:39:37 +02:00			`# helpers`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`peer-systems = (lib.filter (x: (x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-TLMS.net.wg.addr4))`
move to networkd 2022-10-02 21:39:37 +02:00			`(lib.attrValues self.nixosConfigurations));`

			`endpoint =`
			`let`
			`ep = (lib.filter (x:`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4`
			`&& (!isNull x.config.deployment-TLMS.net.wg.ownEndpoint.host))`
move to networkd 2022-10-02 21:39:37 +02:00			`(lib.attrValues self.nixosConfigurations));`
			`in`
			`assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;`

			`peers = map (x: {`
			`wireguardPeerConfig = {`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`PublicKey = x.config.deployment-TLMS.net.wg.publicKey;`
			`AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/32" ];`
move to networkd 2022-10-02 21:39:37 +02:00			`PersistentKeepalive = keepalive;`
			`};`
			`}) peer-systems;`

			`ep = [ {`
			`wireguardPeerConfig =`
			`let x = lib.elemAt endpoint 0; in {`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`PublicKey = x.config.deployment-TLMS.net.wg.publicKey;`
			`AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/${toString cfg.prefix4}" ];`
			`Endpoint = with x.config.deployment-TLMS.net.wg.ownEndpoint; "${host}:${toString port}";`
move to networkd 2022-10-02 21:39:37 +02:00			`PersistentKeepalive = keepalive;`
			`};`
			`} ];`

			`# stuff proper`
			`dvbwg-netdev = {`
			`Kind = "wireguard";`
			`Name = dvbwg-name;`
REBRANDING. Shit is broken 2022-12-30 18:29:13 +01:00			`Description = "TLMS enterprise, highly available, biocomputing-neural-network maintained, converged network";`
move to networkd 2022-10-02 21:39:37 +02:00			`};`

			`dvbwg-wireguard = {`
			`PrivateKeyFile = cfg.privateKeyFile;`
set listen port on endpoint only 2022-10-05 20:47:05 +02:00			`} //`
			`(if !isNull cfg.ownEndpoint.host then { ListenPort = cfg.ownEndpoint.port; } else {});`
move to networkd 2022-10-02 21:39:37 +02:00
			`expeers = map (x: {`
			`wireguardPeerConfig = {`
			`PublicKey = x.publicKey;`
			`AllowedIPs = [ "${x.addr4}/32" ];`
			`PersistentKeepalive = keepalive;`
			`};`
			`}) cfg.extraPeers;`

			`peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers);`
			`in`
			`lib.mkIf (!isNull cfg.addr4) {`
			`networking.wireguard.enable = true;`

disable firewall on wireguard 2022-10-04 20:07:53 +02:00			`networking.firewall.trustedInterfaces = [ dvbwg-name ];`

move to networkd 2022-10-02 21:39:37 +02:00			`systemd.network.netdevs."30-${dvbwg-name}" = {`
			`netdevConfig = dvbwg-netdev;`
			`wireguardConfig = dvbwg-wireguard;`
			`wireguardPeers = peerconf;`
			`};`
			`systemd.network.networks."30-${dvbwg-name}" = {`
			`matchConfig.Name = dvbwg-name;`
			`networkConfig = {`
			`Address = "${cfg.addr4}/${toString cfg.prefix4}";`
traffic-stop-box: move out custom config into ./hosts 2022-09-29 19:46:23 +02:00			`};`
			`};`
move to networkd 2022-10-02 21:39:37 +02:00			`};`
			`}`