nixos-module/container/anon: setup wireguard
This commit is contained in:
parent
dbe5a867a7
commit
c015497773
|
@ -105,6 +105,17 @@ in
|
|||
else null;
|
||||
}
|
||||
) container.interfaces;
|
||||
|
||||
wireguard =
|
||||
lib.optionalAttrs (ctPillar ? wireguard-instances) (
|
||||
builtins.mapAttrs (net: wgData: {
|
||||
inherit (builtins.head wgData.peers) endpoint;
|
||||
publicKey = (builtins.head wgData.peers).public_key;
|
||||
privateKey = wgData.private_key;
|
||||
addresses = builtins.filter builtins.isString (
|
||||
builtins.split "[, ]+" wgData.addr
|
||||
);
|
||||
}) ctPillar.wireguard-instances);
|
||||
ospf =
|
||||
let
|
||||
hostPillar = self.lib.saltPillarFor name;
|
||||
|
|
|
@ -109,7 +109,7 @@ let
|
|||
default = null;
|
||||
};
|
||||
type = mkOption {
|
||||
type = types.enum [ "veth" "phys" ];
|
||||
type = types.enum [ "veth" "phys" "wg" ];
|
||||
};
|
||||
gw4 = mkOption {
|
||||
type = with types; nullOr str;
|
||||
|
@ -179,6 +179,27 @@ let
|
|||
type = with types; listOf str;
|
||||
default = [];
|
||||
};
|
||||
wireguard = mkOption {
|
||||
default = {};
|
||||
type = with types; attrsOf (submodule (
|
||||
{ name, ... }: {
|
||||
options = {
|
||||
endpoint = mkOption {
|
||||
type = str;
|
||||
};
|
||||
publicKey = mkOption {
|
||||
type = str;
|
||||
};
|
||||
privateKey = mkOption {
|
||||
type = str;
|
||||
};
|
||||
addresses = mkOption {
|
||||
type = listOf str;
|
||||
};
|
||||
};
|
||||
}
|
||||
));
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
{ hostName, config, lib, ... }:
|
||||
|
||||
let
|
||||
tunnels = lib.filterAttrs (_: wireguard:
|
||||
wireguard != null
|
||||
) config.site.hosts.${hostName}.wireguard;
|
||||
firstTunnel =
|
||||
if builtins.length (builtins.attrNames tunnels) > 0
|
||||
then builtins.head (builtins.attrNames tunnels)
|
||||
else null;
|
||||
enabled = firstTunnel != null;
|
||||
in
|
||||
{
|
||||
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
||||
netdevConfig = {
|
||||
Name = ifName;
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
||||
wireguardPeers = [ {
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = wireguard.publicKey;
|
||||
Endpoint = wireguard.endpoint;
|
||||
};
|
||||
} ];
|
||||
}) tunnels;
|
||||
# TODO: qdisc
|
||||
|
||||
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||||
matchConfig.name = ifName;
|
||||
addresses = map (addr: {
|
||||
addressConfig.Address = addr;
|
||||
}) wireguard.addresses;
|
||||
}) tunnels;
|
||||
|
||||
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||
enable = true;
|
||||
externalInterface = firstTunnel;
|
||||
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
||||
};
|
||||
}
|
|
@ -22,17 +22,15 @@ in {
|
|||
++ optionals (hostConfig.role == "container") [
|
||||
./container/defaults.nix
|
||||
./container/dhcp-server.nix
|
||||
./container/anon.nix
|
||||
] ++ optionals (
|
||||
hostConfig.role == "container" &&
|
||||
lib.config.site.hosts.${hostName}.isRouter
|
||||
) [
|
||||
./container/bird.nix
|
||||
] ++ optionals (
|
||||
builtins.match "upstream.*" hostName != null
|
||||
) [
|
||||
] ++ optionals (builtins.match "upstream.*" hostName != null) [
|
||||
./container/upstream.nix
|
||||
]
|
||||
++ optionals (hostName == "mgmt-gw") [
|
||||
] ++ optionals (hostName == "mgmt-gw") [
|
||||
./container/mgmt-gw.nix
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue