summaryrefslogtreecommitdiffstats
path: root/lass/2configs/wirelum.nix
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2018-12-12 17:53:38 +0100
committermakefu <github@syntax-fehler.de>2018-12-12 17:53:38 +0100
commit97aaf34c3311291ac47967ac1313e2d955b8228a (patch)
treed119d7ae674863f645e840e14bde0fbfe6f6a16c /lass/2configs/wirelum.nix
parent2e18ee84f02c0d7abcf936b1d39c42ab8e75825c (diff)
parent25cf61f6a74b69656d15f52021f25a6c2e4068e6 (diff)
Merge remote-tracking branch 'lass/master' into HEAD
Diffstat (limited to 'lass/2configs/wirelum.nix')
-rw-r--r--lass/2configs/wirelum.nix44
1 files changed, 44 insertions, 0 deletions
diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix
new file mode 100644
index 000000000..cd8a20c6b
--- /dev/null
+++ b/lass/2configs/wirelum.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+ self = config.krebs.build.host.nets.wirelum;
+ isRouter = !isNull self.via;
+
+in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
+ #hack for modprobe inside containers
+ systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
+ (pkgs.writeDashBin "modprobe" ":")
+ ]);
+
+ boot.kernel.sysctl = mkIf isRouter {
+ "net.ipv6.conf.all.forwarding" = 1;
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
+ { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
+ ];
+
+ networking.wireguard.interfaces.wirelum = {
+ ips =
+ (optional (!isNull self.ip4) self.ip4.addr) ++
+ (optional (!isNull self.ip6) self.ip6.addr);
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wirelum.key";
+ allowedIPsAsRoutes = true;
+ peers = mapAttrsToList
+ (_: host: {
+ allowedIPs = if isRouter then
+ (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
+ (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
+ else
+ host.nets.wirelum.wireguard.subnets
+ ;
+ endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
+ persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
+ publicKey = host.nets.wirelum.wireguard.pubkey;
+ })
+ (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
+ };
+}