|
|
|
@ -14,6 +14,9 @@ let
|
|
|
|
|
|
|
|
|
|
privateKeyFile = ifName:
|
|
|
|
|
"/run/wireguard-keys/${ifName}.key";
|
|
|
|
|
|
|
|
|
|
wireguardMark = 1;
|
|
|
|
|
vpn4Table = 100;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
systemd.services = builtins.foldl' (services: ifName: services // {
|
|
|
|
@ -47,7 +50,11 @@ in
|
|
|
|
|
Name = ifName;
|
|
|
|
|
Kind = "wireguard";
|
|
|
|
|
};
|
|
|
|
|
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
|
|
|
|
|
wireguardConfig = {
|
|
|
|
|
PrivateKeyFile = privateKeyFile ifName;
|
|
|
|
|
# Mark for routing with another routing table
|
|
|
|
|
FirewallMark = wireguardMark;
|
|
|
|
|
};
|
|
|
|
|
wireguardPeers = [ {
|
|
|
|
|
wireguardPeerConfig = {
|
|
|
|
|
PublicKey = wireguard.publicKey;
|
|
|
|
@ -58,13 +65,15 @@ in
|
|
|
|
|
}) tunnels;
|
|
|
|
|
|
|
|
|
|
systemd.network.networks = {
|
|
|
|
|
# Endpoint host-routes
|
|
|
|
|
core.routes = map (wireguard: {
|
|
|
|
|
routeConfig = {
|
|
|
|
|
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
|
|
|
|
|
Gateway = config.site.net.core.hosts4.${gateway};
|
|
|
|
|
# Wireguard transported through another routing table
|
|
|
|
|
# (containing upstream by bird ospf)
|
|
|
|
|
core.routingPolicyRules = [ {
|
|
|
|
|
# Marked wireguard packets take the vpn4 routing table
|
|
|
|
|
routingPolicyRuleConfig = {
|
|
|
|
|
Table = vpn4Table;
|
|
|
|
|
FirewallMark = wireguardMark;
|
|
|
|
|
};
|
|
|
|
|
}) (builtins.attrValues tunnels);
|
|
|
|
|
} ];
|
|
|
|
|
} // builtins.mapAttrs (ifName: wireguard: {
|
|
|
|
|
# Wireguard interfaces
|
|
|
|
|
matchConfig.Name = ifName;
|
|
|
|
@ -97,5 +106,13 @@ in
|
|
|
|
|
inherit (config.site.hosts.${hostName}) forwardPorts;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Configure rt_table name
|
|
|
|
|
networking.iproute2 = {
|
|
|
|
|
enable = true;
|
|
|
|
|
rttablesExtraConfig = ''
|
|
|
|
|
${toString vpn4Table} vpn4
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# TODO: firewall
|
|
|
|
|
}
|
|
|
|
|