nixos-module/container/anon: setup wireguard
This commit is contained in:
parent
b81923a444
commit
0a03be1469
|
@ -1,4 +1,4 @@
|
||||||
{ hostName, config, lib, ... }:
|
{ hostName, config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
tunnels = lib.filterAttrs (_: wireguard:
|
tunnels = lib.filterAttrs (_: wireguard:
|
||||||
|
@ -9,29 +9,57 @@ let
|
||||||
then builtins.head (builtins.attrNames tunnels)
|
then builtins.head (builtins.attrNames tunnels)
|
||||||
else null;
|
else null;
|
||||||
enabled = firstTunnel != null;
|
enabled = firstTunnel != null;
|
||||||
|
privateKeyFile = ifName:
|
||||||
|
"/run/wireguard-keys/${ifName}.key";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
systemd.services = builtins.foldl' (services: ifName: services // {
|
||||||
|
"wireguard-key-${ifName}" = {
|
||||||
|
description = "Create key file for wireguard interface '${ifName}'";
|
||||||
|
requiredBy = [ "systemd-networkd.service" ];
|
||||||
|
script = ''
|
||||||
|
#! ${pkgs.runtimeShell} -e
|
||||||
|
|
||||||
|
F=${privateKeyFile ifName}
|
||||||
|
mkdir -p -m 0700 $(dirname $F)
|
||||||
|
chown systemd-network:systemd-network $(dirname $F)
|
||||||
|
rm -f $F
|
||||||
|
cat >$F <<EOF
|
||||||
|
${tunnels.${ifName}.privateKey}
|
||||||
|
EOF
|
||||||
|
chmod 0400 $F
|
||||||
|
chown systemd-network:systemd-network $F
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}) {} (builtins.attrNames tunnels);
|
||||||
|
|
||||||
|
environment.systemPackages = lib.optionals enabled [
|
||||||
|
pkgs.wireguard-tools
|
||||||
|
];
|
||||||
|
|
||||||
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
||||||
netdevConfig = {
|
netdevConfig = {
|
||||||
Name = ifName;
|
Name = ifName;
|
||||||
Kind = "wireguard";
|
Kind = "wireguard";
|
||||||
};
|
};
|
||||||
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
|
||||||
wireguardPeers = [ {
|
wireguardPeers = [ {
|
||||||
wireguardPeerConfig = {
|
wireguardPeerConfig = {
|
||||||
PublicKey = wireguard.publicKey;
|
PublicKey = wireguard.publicKey;
|
||||||
Endpoint = wireguard.endpoint;
|
Endpoint = wireguard.endpoint;
|
||||||
|
AllowedIPs = "0.0.0.0/0, ::/0";
|
||||||
};
|
};
|
||||||
} ];
|
} ];
|
||||||
}) tunnels;
|
}) tunnels;
|
||||||
# TODO: qdisc
|
# TODO: qdisc from upstream pillar
|
||||||
|
|
||||||
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||||||
matchConfig.name = ifName;
|
matchConfig.Name = ifName;
|
||||||
addresses = map (addr: {
|
addresses = map (addr: {
|
||||||
addressConfig.Address = addr;
|
addressConfig.Address = addr;
|
||||||
}) wireguard.addresses;
|
}) wireguard.addresses;
|
||||||
}) tunnels;
|
}) tunnels;
|
||||||
|
# TODO: gw4, gw6
|
||||||
|
|
||||||
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user