nixos-module/container/anon: route
This commit is contained in:
parent
55fccbb4e0
commit
8807ce4435
|
@ -1,6 +1,8 @@
|
||||||
{ hostName, config, lib, pkgs, ... }:
|
{ hostName, config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
gateway = "upstream1";
|
||||||
|
|
||||||
tunnels = lib.filterAttrs (_: wireguard:
|
tunnels = lib.filterAttrs (_: wireguard:
|
||||||
wireguard != null
|
wireguard != null
|
||||||
) config.site.hosts.${hostName}.wireguard;
|
) config.site.hosts.${hostName}.wireguard;
|
||||||
|
@ -9,6 +11,7 @@ let
|
||||||
then builtins.head (builtins.attrNames tunnels)
|
then builtins.head (builtins.attrNames tunnels)
|
||||||
else null;
|
else null;
|
||||||
enabled = firstTunnel != null;
|
enabled = firstTunnel != null;
|
||||||
|
|
||||||
privateKeyFile = ifName:
|
privateKeyFile = ifName:
|
||||||
"/run/wireguard-keys/${ifName}.key";
|
"/run/wireguard-keys/${ifName}.key";
|
||||||
in
|
in
|
||||||
|
@ -53,15 +56,29 @@ in
|
||||||
};
|
};
|
||||||
} ];
|
} ];
|
||||||
}) tunnels;
|
}) tunnels;
|
||||||
# TODO: qdisc from upstream pillar
|
|
||||||
|
|
||||||
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
systemd.network.networks = {
|
||||||
|
# Endpoint host-routes
|
||||||
|
core.routes = map (wireguard: {
|
||||||
|
routeConfig = {
|
||||||
|
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
|
||||||
|
Gateway = config.site.net.core.hosts4.${gateway};
|
||||||
|
};
|
||||||
|
}) (builtins.attrValues tunnels);
|
||||||
|
} // builtins.mapAttrs (ifName: wireguard: {
|
||||||
|
# Wireguard interfaces
|
||||||
matchConfig.Name = ifName;
|
matchConfig.Name = ifName;
|
||||||
|
|
||||||
addresses = map (addr: {
|
addresses = map (addr: {
|
||||||
addressConfig.Address = addr;
|
addressConfig.Address = addr;
|
||||||
}) wireguard.addresses;
|
}) wireguard.addresses;
|
||||||
|
|
||||||
|
# IPv4 default route
|
||||||
networkConfig.DefaultRouteOnDevice = true;
|
networkConfig.DefaultRouteOnDevice = true;
|
||||||
|
# IPv6 default route
|
||||||
|
routes = [ {
|
||||||
|
routeConfig.Destination = "::/0";
|
||||||
|
} ];
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
[CAKE]
|
[CAKE]
|
||||||
|
@ -74,6 +91,8 @@ in
|
||||||
|
|
||||||
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
enableIPv6 = true;
|
||||||
|
internalInterfaces = [ "core" ];
|
||||||
externalInterface = firstTunnel;
|
externalInterface = firstTunnel;
|
||||||
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue