nixos-module/container/anon: route
This commit is contained in:
parent
55fccbb4e0
commit
8807ce4435
|
@ -1,6 +1,8 @@
|
|||
{ hostName, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
gateway = "upstream1";
|
||||
|
||||
tunnels = lib.filterAttrs (_: wireguard:
|
||||
wireguard != null
|
||||
) config.site.hosts.${hostName}.wireguard;
|
||||
|
@ -9,6 +11,7 @@ let
|
|||
then builtins.head (builtins.attrNames tunnels)
|
||||
else null;
|
||||
enabled = firstTunnel != null;
|
||||
|
||||
privateKeyFile = ifName:
|
||||
"/run/wireguard-keys/${ifName}.key";
|
||||
in
|
||||
|
@ -53,15 +56,29 @@ in
|
|||
};
|
||||
} ];
|
||||
}) tunnels;
|
||||
# TODO: qdisc from upstream pillar
|
||||
|
||||
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||||
systemd.network.networks = {
|
||||
# Endpoint host-routes
|
||||
core.routes = map (wireguard: {
|
||||
routeConfig = {
|
||||
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
|
||||
Gateway = config.site.net.core.hosts4.${gateway};
|
||||
};
|
||||
}) (builtins.attrValues tunnels);
|
||||
} // builtins.mapAttrs (ifName: wireguard: {
|
||||
# Wireguard interfaces
|
||||
matchConfig.Name = ifName;
|
||||
|
||||
addresses = map (addr: {
|
||||
addressConfig.Address = addr;
|
||||
}) wireguard.addresses;
|
||||
|
||||
# IPv4 default route
|
||||
networkConfig.DefaultRouteOnDevice = true;
|
||||
# IPv6 default route
|
||||
routes = [ {
|
||||
routeConfig.Destination = "::/0";
|
||||
} ];
|
||||
|
||||
extraConfig = ''
|
||||
[CAKE]
|
||||
|
@ -74,6 +91,8 @@ in
|
|||
|
||||
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||
enable = true;
|
||||
enableIPv6 = true;
|
||||
internalInterfaces = [ "core" ];
|
||||
externalInterface = firstTunnel;
|
||||
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue