nixos-module/container/anon: setup wireguard

2021-04-05 15:54:15 +02:00 · 2021-04-05 15:54:15 +02:00 · c015497773
parent dbe5a867a7
commit c015497773
4 changed files with 77 additions and 6 deletions
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@ -105,6 +105,17 @@ in
                    else null;
                }
            ) container.interfaces;
+
+          wireguard =
+            lib.optionalAttrs (ctPillar ? wireguard-instances) (
+              builtins.mapAttrs (net: wgData: {
+                inherit (builtins.head wgData.peers) endpoint;
+                publicKey = (builtins.head wgData.peers).public_key;
+                privateKey = wgData.private_key;
+                addresses = builtins.filter builtins.isString (
+                  builtins.split "[, ]+" wgData.addr
+                );
+              }) ctPillar.wireguard-instances);
          ospf =
            let
              hostPillar = self.lib.saltPillarFor name;
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@ -109,7 +109,7 @@ let
        default = null;
      };
      type = mkOption {
-        type = types.enum [ "veth" "phys" ];
+        type = types.enum [ "veth" "phys" "wg" ];
      };
      gw4 = mkOption {
        type = with types; nullOr str;
@ -179,6 +179,27 @@ let
        type = with types; listOf str;
        default = [];
      };
+      wireguard = mkOption {
+        default = {};
+        type = with types; attrsOf (submodule (
+          { name, ... }: {
+            options = {
+              endpoint = mkOption {
+                type = str;
+              };
+              publicKey = mkOption {
+                type = str;
+              };
+              privateKey = mkOption {
+                type = str;
+              };
+              addresses = mkOption {
+                type = listOf str;
+              };
+            };
+          }
+        ));
+      };
    };
  };
 in
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@ -0,0 +1,41 @@
+{ hostName, config, lib, ... }:
+
+let
+  tunnels = lib.filterAttrs (_: wireguard:
+    wireguard != null
+  ) config.site.hosts.${hostName}.wireguard;
+  firstTunnel =
+    if builtins.length (builtins.attrNames tunnels) > 0
+    then builtins.head (builtins.attrNames tunnels)
+    else null;
+  enabled = firstTunnel != null;
+in
+{
+  systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
+    netdevConfig = {
+      Name = ifName;
+      Kind = "wireguard";
+    };
+    wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
+    wireguardPeers = [ {
+      wireguardPeerConfig = {
+        PublicKey = wireguard.publicKey;
+        Endpoint = wireguard.endpoint;
+      };
+    } ];
+  }) tunnels;
+  # TODO: qdisc
+  
+  systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
+    matchConfig.name = ifName;
+    addresses = map (addr: {
+      addressConfig.Address = addr;
+    }) wireguard.addresses;
+  }) tunnels;
+
+  networking.nat = lib.optionalAttrs (firstTunnel != null) {
+    enable = true;
+    externalInterface = firstTunnel;
+    forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
+  };
+}
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@ -22,17 +22,15 @@ in {
  ++ optionals (hostConfig.role == "container") [
    ./container/defaults.nix
    ./container/dhcp-server.nix
+    ./container/anon.nix
  ] ++ optionals (
    hostConfig.role == "container" &&
    lib.config.site.hosts.${hostName}.isRouter
  ) [
    ./container/bird.nix
-  ] ++ optionals (
-    builtins.match "upstream.*" hostName != null
-  ) [
+  ] ++ optionals (builtins.match "upstream.*" hostName != null) [
    ./container/upstream.nix
-  ]
-  ++ optionals (hostName == "mgmt-gw") [
+  ] ++ optionals (hostName == "mgmt-gw") [
    ./container/mgmt-gw.nix
  ];
 }