nixos-module/container/anon: setup wireguard

2021-04-06 19:12:22 +02:00 · 2021-04-06 19:12:22 +02:00 · 0a03be1469
parent b81923a444
commit 0a03be1469
1 changed files with 33 additions and 5 deletions
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@ -1,4 +1,4 @@
-{ hostName, config, lib, ... }:
+{ hostName, config, lib, pkgs, ... }:

 let
  tunnels = lib.filterAttrs (_: wireguard:
@ -9,29 +9,57 @@ let
    then builtins.head (builtins.attrNames tunnels)
    else null;
  enabled = firstTunnel != null;
+  privateKeyFile = ifName:
+    "/run/wireguard-keys/${ifName}.key";
 in
 {
+  systemd.services = builtins.foldl' (services: ifName: services // {
+    "wireguard-key-${ifName}" = {
+      description = "Create key file for wireguard interface '${ifName}'";
+      requiredBy = [ "systemd-networkd.service" ];
+      script = ''
+        #! ${pkgs.runtimeShell} -e
+
+        F=${privateKeyFile ifName}
+        mkdir -p -m 0700 $(dirname $F)
+        chown systemd-network:systemd-network $(dirname $F)
+        rm -f $F
+        cat >$F <<EOF
+        ${tunnels.${ifName}.privateKey}
+        EOF
+        chmod 0400 $F
+        chown systemd-network:systemd-network $F
+      '';
+    };
+  }) {} (builtins.attrNames tunnels);
+
+  environment.systemPackages = lib.optionals enabled [
+    pkgs.wireguard-tools
+  ];
+
  systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
    netdevConfig = {
      Name = ifName;
      Kind = "wireguard";
    };
-    wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
+    wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
    wireguardPeers = [ {
      wireguardPeerConfig = {
        PublicKey = wireguard.publicKey;
        Endpoint = wireguard.endpoint;
+        AllowedIPs = "0.0.0.0/0, ::/0";
      };
    } ];
  }) tunnels;
-  # TODO: qdisc
-  
+  # TODO: qdisc from upstream pillar
+
  systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
-    matchConfig.name = ifName;
+    matchConfig.Name = ifName;
    addresses = map (addr: {
      addressConfig.Address = addr;
    }) wireguard.addresses;
  }) tunnels;
+  # TODO: gw4, gw6

  networking.nat = lib.optionalAttrs (firstTunnel != null) {
    enable = true;