summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/wireguard/wiregrill.nix
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2019-09-11 10:34:02 +0200
committertv <tv@krebsco.de>2019-09-11 10:34:02 +0200
commit0182f1bd64973e93d4cf4c30b6005708b7e09240 (patch)
treef5a318fee1572b9b35f9f321d4ac707bc7935792 /makefu/2configs/wireguard/wiregrill.nix
parente388d02623b98bad5db52b29ea1ef1f494fddae8 (diff)
parent5d24345ff430df38263c113041070a900c23131e (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/wireguard/wiregrill.nix')
-rw-r--r--makefu/2configs/wireguard/wiregrill.nix46
1 files changed, 46 insertions, 0 deletions
diff --git a/makefu/2configs/wireguard/wiregrill.nix b/makefu/2configs/wireguard/wiregrill.nix
new file mode 100644
index 00000000..08209075
--- /dev/null
+++ b/makefu/2configs/wireguard/wiregrill.nix
@@ -0,0 +1,46 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+ self = config.krebs.build.host.nets.wiregrill;
+ isRouter = !isNull self.via; # via "internet" is not set
+ ext-if = config.makefu.server.primary-itf;
+
+in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
+ #hack for modprobe inside containers
+ systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
+ (pkgs.writeDashBin "modprobe" ":")
+ ]);
+
+ boot.kernel.sysctl = mkIf isRouter {
+ "net.ipv6.conf.all.forwarding" = 1;
+ };
+
+ networking.firewall = {
+ allowedUDPPorts = [ self.wireguard.port ];
+ extraCommands = ''
+ iptables -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
+ '';
+ };
+
+ networking.wireguard.interfaces.wiregrill = {
+ ips =
+ (optional (!isNull self.ip4) self.ip4.addr) ++
+ (optional (!isNull self.ip6) self.ip6.addr);
+ listenPort = self.wireguard.port;
+ privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+ allowedIPsAsRoutes = true;
+ peers = mapAttrsToList
+ (_: host: {
+ allowedIPs = if isRouter then
+ (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
+ (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
+ else
+ host.nets.wiregrill.wireguard.subnets
+ ;
+ endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
+ persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
+ publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey);
+ })
+ (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 15:13:42 +0000