forked from zentralwerk/network
nixos-module/container/anon: setup wireguard
This commit is contained in:
parent
b81923a444
commit
0a03be1469
|
@ -1,4 +1,4 @@
|
|||
{ hostName, config, lib, ... }:
|
||||
{ hostName, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
tunnels = lib.filterAttrs (_: wireguard:
|
||||
|
@ -9,29 +9,57 @@ let
|
|||
then builtins.head (builtins.attrNames tunnels)
|
||||
else null;
|
||||
enabled = firstTunnel != null;
|
||||
privateKeyFile = ifName:
|
||||
"/run/wireguard-keys/${ifName}.key";
|
||||
in
|
||||
{
|
||||
systemd.services = builtins.foldl' (services: ifName: services // {
|
||||
"wireguard-key-${ifName}" = {
|
||||
description = "Create key file for wireguard interface '${ifName}'";
|
||||
requiredBy = [ "systemd-networkd.service" ];
|
||||
script = ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
|
||||
F=${privateKeyFile ifName}
|
||||
mkdir -p -m 0700 $(dirname $F)
|
||||
chown systemd-network:systemd-network $(dirname $F)
|
||||
rm -f $F
|
||||
cat >$F <<EOF
|
||||
${tunnels.${ifName}.privateKey}
|
||||
EOF
|
||||
chmod 0400 $F
|
||||
chown systemd-network:systemd-network $F
|
||||
'';
|
||||
};
|
||||
}) {} (builtins.attrNames tunnels);
|
||||
|
||||
environment.systemPackages = lib.optionals enabled [
|
||||
pkgs.wireguard-tools
|
||||
];
|
||||
|
||||
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
||||
netdevConfig = {
|
||||
Name = ifName;
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
||||
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
|
||||
wireguardPeers = [ {
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = wireguard.publicKey;
|
||||
Endpoint = wireguard.endpoint;
|
||||
AllowedIPs = "0.0.0.0/0, ::/0";
|
||||
};
|
||||
} ];
|
||||
}) tunnels;
|
||||
# TODO: qdisc
|
||||
# TODO: qdisc from upstream pillar
|
||||
|
||||
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||||
matchConfig.name = ifName;
|
||||
matchConfig.Name = ifName;
|
||||
addresses = map (addr: {
|
||||
addressConfig.Address = addr;
|
||||
}) wireguard.addresses;
|
||||
}) tunnels;
|
||||
# TODO: gw4, gw6
|
||||
|
||||
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in New Issue
Block a user