zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 4 Pull Requests 1 Releases Wiki Activity

nixos-module/container/anon: route

This commit is contained in:
Astro 2021-04-06 21:02:09 +02:00
parent 55fccbb4e0
commit 8807ce4435
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nix/nixos-module/container/anon.nix
View File

@ -1,6 +1,8 @@
{ hostName, config, lib, pkgs, ... }:
let
gateway = "upstream1";
tunnels = lib.filterAttrs (_: wireguard:
wireguard != null
) config.site.hosts.${hostName}.wireguard;
@ -9,6 +11,7 @@ let
then builtins.head (builtins.attrNames tunnels)
else null;
enabled = firstTunnel != null;
privateKeyFile = ifName:
"/run/wireguard-keys/${ifName}.key";
in
@ -53,15 +56,29 @@ in
};
} ];
}) tunnels;
# TODO: qdisc from upstream pillar
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
systemd.network.networks = {
# Endpoint host-routes
core.routes = map (wireguard: {
routeConfig = {
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
Gateway = config.site.net.core.hosts4.${gateway};
};
}) (builtins.attrValues tunnels);
} // builtins.mapAttrs (ifName: wireguard: {
# Wireguard interfaces
matchConfig.Name = ifName;
addresses = map (addr: {
addressConfig.Address = addr;
}) wireguard.addresses;
# IPv4 default route
networkConfig.DefaultRouteOnDevice = true;
# IPv6 default route
routes = [ {
routeConfig.Destination = "::/0";
} ];
extraConfig = ''
[CAKE]
@ -74,6 +91,8 @@ in
networking.nat = lib.optionalAttrs (firstTunnel != null) {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "core" ];
externalInterface = firstTunnel;
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
};