2024-02-12 23:27:30 +00:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
...
|
2024-08-18 22:22:59 +00:00
|
|
|
}: let
|
2024-02-12 23:27:30 +00:00
|
|
|
cfg = config.pub-solar.wireguard.tunnel;
|
|
|
|
in {
|
|
|
|
options.pub-solar.wireguard.tunnel = {
|
2024-06-17 13:23:32 +00:00
|
|
|
ownIPs = lib.mkOption {
|
2024-02-12 23:27:30 +00:00
|
|
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
2024-06-17 13:23:32 +00:00
|
|
|
type = lib.types.listOf lib.types.str;
|
2024-02-12 23:27:30 +00:00
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
|
2024-06-17 13:23:32 +00:00
|
|
|
privateKeyFile = lib.mkOption {
|
2024-02-12 23:27:30 +00:00
|
|
|
description = "Location of private key file";
|
2024-06-17 13:23:32 +00:00
|
|
|
type = lib.types.path;
|
2024-02-12 23:27:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
peer = {
|
2024-06-17 13:23:32 +00:00
|
|
|
publicKey = lib.mkOption {
|
2024-02-12 23:27:30 +00:00
|
|
|
description = "Public key of the peer";
|
2024-06-17 13:23:32 +00:00
|
|
|
type = lib.types.str;
|
2024-02-12 23:27:30 +00:00
|
|
|
};
|
2024-06-17 13:23:32 +00:00
|
|
|
endpoint = lib.mkOption {
|
2024-02-12 23:27:30 +00:00
|
|
|
description = "Peer endpoint address";
|
2024-06-17 13:23:32 +00:00
|
|
|
type = lib.types.str;
|
2024-02-12 23:27:30 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-06-17 13:23:32 +00:00
|
|
|
useDNS = lib.mkOption {
|
2024-02-12 23:27:30 +00:00
|
|
|
description = "Whether to use the DNS of the interface as default";
|
|
|
|
default = false;
|
2024-06-17 13:23:32 +00:00
|
|
|
type = lib.types.bool;
|
2024-02-12 23:27:30 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-08-18 22:22:59 +00:00
|
|
|
config = lib.mkIf (lib.length cfg.ownIPs != 0) {
|
2024-02-12 23:27:30 +00:00
|
|
|
networking.firewall.allowedUDPPorts = [51820];
|
|
|
|
|
2024-08-18 22:22:59 +00:00
|
|
|
systemd.network.wait-online.ignoredInterfaces = ["wg-tunnel"];
|
2024-04-15 10:39:13 +00:00
|
|
|
|
|
|
|
systemd.targets.wireguard-wg-tunnel = {
|
|
|
|
wantedBy = lib.mkForce [];
|
|
|
|
};
|
|
|
|
|
2024-03-27 14:22:46 +00:00
|
|
|
systemd.services.wireguard-wg-tunnel = {
|
|
|
|
wants = [
|
|
|
|
"wireguard-wg-private.service"
|
|
|
|
];
|
|
|
|
|
|
|
|
preStart = ''
|
|
|
|
while true; do
|
|
|
|
if ${pkgs.netcat}/bin/nc -w 5 -z 10.13.12.7 22 2>/dev/null; then
|
|
|
|
exit 0;
|
|
|
|
else
|
|
|
|
sleep 1;
|
|
|
|
fi
|
|
|
|
done;
|
|
|
|
'';
|
2024-02-16 10:18:35 +00:00
|
|
|
|
|
|
|
serviceConfig = {
|
2024-06-17 13:23:32 +00:00
|
|
|
Type = lib.mkForce "simple";
|
2024-02-16 10:18:35 +00:00
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = "30";
|
|
|
|
};
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
|
|
};
|
2024-02-12 23:27:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
networking.wireguard.interfaces = let
|
2024-08-18 22:22:59 +00:00
|
|
|
splitEndpoint = lib.strings.splitString ":" cfg.peer.endpoint;
|
|
|
|
joinIPV6 = p: ip:
|
|
|
|
p
|
|
|
|
+ (
|
|
|
|
if (lib.stringLength ip > 0)
|
|
|
|
then ":"
|
|
|
|
else ""
|
|
|
|
)
|
|
|
|
+ ip;
|
2024-06-17 13:23:32 +00:00
|
|
|
isIPV4 = lib.length splitEndpoint < 3;
|
2024-08-18 22:22:59 +00:00
|
|
|
ipFlag =
|
|
|
|
if isIPV4
|
|
|
|
then "-4"
|
|
|
|
else "-6";
|
|
|
|
endpointIP = (
|
|
|
|
if isIPV4
|
2024-06-17 13:23:32 +00:00
|
|
|
then lib.elemAt splitEndpoint 0
|
|
|
|
else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
|
2024-02-12 23:27:30 +00:00
|
|
|
);
|
2024-06-17 13:23:32 +00:00
|
|
|
endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
|
2024-02-12 23:27:30 +00:00
|
|
|
in {
|
|
|
|
wg-tunnel = {
|
|
|
|
listenPort = 51820;
|
|
|
|
ips = cfg.ownIPs;
|
|
|
|
privateKeyFile = cfg.privateKeyFile;
|
2024-08-18 22:22:59 +00:00
|
|
|
postSetup =
|
|
|
|
''
|
|
|
|
defaultRoute=$(${pkgs.iproute2}/bin/ip ${ipFlag} r | ${pkgs.gnugrep}/bin/grep "default via" | head -n 1 | ${pkgs.gawk}/bin/awk '{ print $3 " " $4 " " $5 }')
|
|
|
|
${pkgs.iproute2}/bin/ip ${ipFlag} route add "${endpointIPStripped}${
|
|
|
|
if isIPV4
|
|
|
|
then "/32"
|
|
|
|
else "/128"
|
|
|
|
}" metric 256 via $defaultRoute
|
|
|
|
ip -4 route delete default dev wg-tunnel || true
|
|
|
|
ip -4 route add default dev wg-tunnel metric 512
|
|
|
|
ip -6 route delete default dev wg-tunnel || true
|
|
|
|
ip -6 route add default dev wg-tunnel metric 512
|
|
|
|
''
|
|
|
|
+ (
|
|
|
|
if cfg.useDNS
|
|
|
|
then ''printf "nameserver 10.64.0.1" | resolvconf -a wg-tunnel -m 0 -x''
|
|
|
|
else ""
|
|
|
|
);
|
|
|
|
postShutdown =
|
|
|
|
''
|
|
|
|
addedRoute=$(${pkgs.iproute2}/bin/ip ${ipFlag} r | ${pkgs.gnugrep}/bin/grep "${endpointIPStripped}" | head -n 1 | ${pkgs.gawk}/bin/awk '{ print $1 " " $2 " " $3 " " $4 " " $5 }')
|
|
|
|
if [ -n "$addedRoute" ]; then
|
|
|
|
${pkgs.iproute2}/bin/ip ${ipFlag} route delete $addedRoute
|
|
|
|
fi
|
|
|
|
''
|
|
|
|
+ (
|
|
|
|
if cfg.useDNS
|
|
|
|
then ''resolvconf -d wg-tunnel -f''
|
|
|
|
else ""
|
|
|
|
);
|
2024-02-12 23:27:30 +00:00
|
|
|
peers = [
|
|
|
|
{
|
|
|
|
publicKey = cfg.peer.publicKey;
|
|
|
|
allowedIPs = [
|
|
|
|
"0.0.0.0/0"
|
|
|
|
"::/0"
|
|
|
|
];
|
|
|
|
endpoint = cfg.peer.endpoint;
|
|
|
|
persistentKeepalive = 30;
|
|
|
|
dynamicEndpointRefreshSeconds = 30;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|