diff options
author | makefu <github@syntax-fehler.de> | 2018-12-12 17:53:38 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2018-12-12 17:53:38 +0100 |
commit | 97aaf34c3311291ac47967ac1313e2d955b8228a (patch) | |
tree | d119d7ae674863f645e840e14bde0fbfe6f6a16c /lass/2configs/wirelum.nix | |
parent | 2e18ee84f02c0d7abcf936b1d39c42ab8e75825c (diff) | |
parent | 25cf61f6a74b69656d15f52021f25a6c2e4068e6 (diff) |
Merge remote-tracking branch 'lass/master' into HEAD
Diffstat (limited to 'lass/2configs/wirelum.nix')
-rw-r--r-- | lass/2configs/wirelum.nix | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix new file mode 100644 index 000000000..cd8a20c6b --- /dev/null +++ b/lass/2configs/wirelum.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wirelum; + isRouter = !isNull self.via; + +in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ + { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; } + ]; + + networking.wireguard.interfaces.wirelum = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wirelum.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++ + (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr) + else + host.nets.wirelum.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61; + publicKey = host.nets.wirelum.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts); + }; +} |