From c015497773e366dd2c2c96842d3059ed7512ca78 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Mon, 5 Apr 2021 15:54:15 +0200
Subject: [PATCH] nixos-module/container/anon: setup wireguard

---
 nix/lib/config/legacy.nix           | 11 ++++++++
 nix/lib/config/options.nix          | 23 +++++++++++++++-
 nix/nixos-module/container/anon.nix | 41 +++++++++++++++++++++++++++++
 nix/nixos-module/default.nix        |  8 +++---
 4 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 nix/nixos-module/container/anon.nix

diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 4d1606b..d2df542 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -105,6 +105,17 @@ in
                     else null;
                 }
             ) container.interfaces;
+
+          wireguard =
+            lib.optionalAttrs (ctPillar ? wireguard-instances) (
+              builtins.mapAttrs (net: wgData: {
+                inherit (builtins.head wgData.peers) endpoint;
+                publicKey = (builtins.head wgData.peers).public_key;
+                privateKey = wgData.private_key;
+                addresses = builtins.filter builtins.isString (
+                  builtins.split "[, ]+" wgData.addr
+                );
+              }) ctPillar.wireguard-instances);
           ospf =
             let
               hostPillar = self.lib.saltPillarFor name;
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index c682eb6..97e9053 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -109,7 +109,7 @@ let
         default = null;
       };
       type = mkOption {
-        type = types.enum [ "veth" "phys" ];
+        type = types.enum [ "veth" "phys" "wg" ];
       };
       gw4 = mkOption {
         type = with types; nullOr str;
@@ -179,6 +179,27 @@ let
         type = with types; listOf str;
         default = [];
       };
+      wireguard = mkOption {
+        default = {};
+        type = with types; attrsOf (submodule (
+          { name, ... }: {
+            options = {
+              endpoint = mkOption {
+                type = str;
+              };
+              publicKey = mkOption {
+                type = str;
+              };
+              privateKey = mkOption {
+                type = str;
+              };
+              addresses = mkOption {
+                type = listOf str;
+              };
+            };
+          }
+        ));
+      };
     };
   };
 in
diff --git a/nix/nixos-module/container/anon.nix b/nix/nixos-module/container/anon.nix
new file mode 100644
index 000000000..5651a86
--- /dev/null
+++ b/nix/nixos-module/container/anon.nix
@@ -0,0 +1,41 @@
+{ hostName, config, lib, ... }:
+
+let
+  tunnels = lib.filterAttrs (_: wireguard:
+    wireguard != null
+  ) config.site.hosts.${hostName}.wireguard;
+  firstTunnel =
+    if builtins.length (builtins.attrNames tunnels) > 0
+    then builtins.head (builtins.attrNames tunnels)
+    else null;
+  enabled = firstTunnel != null;
+in
+{
+  systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
+    netdevConfig = {
+      Name = ifName;
+      Kind = "wireguard";
+    };
+    wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
+    wireguardPeers = [ {
+      wireguardPeerConfig = {
+        PublicKey = wireguard.publicKey;
+        Endpoint = wireguard.endpoint;
+      };
+    } ];
+  }) tunnels;
+  # TODO: qdisc
+  
+  systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
+    matchConfig.name = ifName;
+    addresses = map (addr: {
+      addressConfig.Address = addr;
+    }) wireguard.addresses;
+  }) tunnels;
+
+  networking.nat = lib.optionalAttrs (firstTunnel != null) {
+    enable = true;
+    externalInterface = firstTunnel;
+    forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
+  };
+}
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index e65d686..7200ac6 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -22,17 +22,15 @@ in {
   ++ optionals (hostConfig.role == "container") [
     ./container/defaults.nix
     ./container/dhcp-server.nix
+    ./container/anon.nix
   ] ++ optionals (
     hostConfig.role == "container" &&
     lib.config.site.hosts.${hostName}.isRouter
   ) [
     ./container/bird.nix
-  ] ++ optionals (
-    builtins.match "upstream.*" hostName != null
-  ) [
+  ] ++ optionals (builtins.match "upstream.*" hostName != null) [
     ./container/upstream.nix
-  ]
-  ++ optionals (hostName == "mgmt-gw") [
+  ] ++ optionals (hostName == "mgmt-gw") [
     ./container/mgmt-gw.nix
   ];
 }