nixos-module/container/anon: setup wireguard
This commit is contained in:
parent
dbe5a867a7
commit
c015497773
|
@ -105,6 +105,17 @@ in
|
||||||
else null;
|
else null;
|
||||||
}
|
}
|
||||||
) container.interfaces;
|
) container.interfaces;
|
||||||
|
|
||||||
|
wireguard =
|
||||||
|
lib.optionalAttrs (ctPillar ? wireguard-instances) (
|
||||||
|
builtins.mapAttrs (net: wgData: {
|
||||||
|
inherit (builtins.head wgData.peers) endpoint;
|
||||||
|
publicKey = (builtins.head wgData.peers).public_key;
|
||||||
|
privateKey = wgData.private_key;
|
||||||
|
addresses = builtins.filter builtins.isString (
|
||||||
|
builtins.split "[, ]+" wgData.addr
|
||||||
|
);
|
||||||
|
}) ctPillar.wireguard-instances);
|
||||||
ospf =
|
ospf =
|
||||||
let
|
let
|
||||||
hostPillar = self.lib.saltPillarFor name;
|
hostPillar = self.lib.saltPillarFor name;
|
||||||
|
|
|
@ -109,7 +109,7 @@ let
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
type = mkOption {
|
type = mkOption {
|
||||||
type = types.enum [ "veth" "phys" ];
|
type = types.enum [ "veth" "phys" "wg" ];
|
||||||
};
|
};
|
||||||
gw4 = mkOption {
|
gw4 = mkOption {
|
||||||
type = with types; nullOr str;
|
type = with types; nullOr str;
|
||||||
|
@ -179,6 +179,27 @@ let
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
wireguard = mkOption {
|
||||||
|
default = {};
|
||||||
|
type = with types; attrsOf (submodule (
|
||||||
|
{ name, ... }: {
|
||||||
|
options = {
|
||||||
|
endpoint = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
publicKey = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
privateKey = mkOption {
|
||||||
|
type = str;
|
||||||
|
};
|
||||||
|
addresses = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
));
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
{ hostName, config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
tunnels = lib.filterAttrs (_: wireguard:
|
||||||
|
wireguard != null
|
||||||
|
) config.site.hosts.${hostName}.wireguard;
|
||||||
|
firstTunnel =
|
||||||
|
if builtins.length (builtins.attrNames tunnels) > 0
|
||||||
|
then builtins.head (builtins.attrNames tunnels)
|
||||||
|
else null;
|
||||||
|
enabled = firstTunnel != null;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = ifName;
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
|
||||||
|
wireguardPeers = [ {
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = wireguard.publicKey;
|
||||||
|
Endpoint = wireguard.endpoint;
|
||||||
|
};
|
||||||
|
} ];
|
||||||
|
}) tunnels;
|
||||||
|
# TODO: qdisc
|
||||||
|
|
||||||
|
systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
|
||||||
|
matchConfig.name = ifName;
|
||||||
|
addresses = map (addr: {
|
||||||
|
addressConfig.Address = addr;
|
||||||
|
}) wireguard.addresses;
|
||||||
|
}) tunnels;
|
||||||
|
|
||||||
|
networking.nat = lib.optionalAttrs (firstTunnel != null) {
|
||||||
|
enable = true;
|
||||||
|
externalInterface = firstTunnel;
|
||||||
|
forwardPorts = config.site.hosts.${hostName}.forwardedPorts;
|
||||||
|
};
|
||||||
|
}
|
|
@ -22,17 +22,15 @@ in {
|
||||||
++ optionals (hostConfig.role == "container") [
|
++ optionals (hostConfig.role == "container") [
|
||||||
./container/defaults.nix
|
./container/defaults.nix
|
||||||
./container/dhcp-server.nix
|
./container/dhcp-server.nix
|
||||||
|
./container/anon.nix
|
||||||
] ++ optionals (
|
] ++ optionals (
|
||||||
hostConfig.role == "container" &&
|
hostConfig.role == "container" &&
|
||||||
lib.config.site.hosts.${hostName}.isRouter
|
lib.config.site.hosts.${hostName}.isRouter
|
||||||
) [
|
) [
|
||||||
./container/bird.nix
|
./container/bird.nix
|
||||||
] ++ optionals (
|
] ++ optionals (builtins.match "upstream.*" hostName != null) [
|
||||||
builtins.match "upstream.*" hostName != null
|
|
||||||
) [
|
|
||||||
./container/upstream.nix
|
./container/upstream.nix
|
||||||
]
|
] ++ optionals (hostName == "mgmt-gw") [
|
||||||
++ optionals (hostName == "mgmt-gw") [
|
|
||||||
./container/mgmt-gw.nix
|
./container/mgmt-gw.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue