b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

wireguard: remove with lib;, dedupe systemd service config

Browse source
This commit is contained in:
Benjamin Yule Bädorf 2024-06-17 15:23:32 +02:00
parent 23af0457bb
commit ee611894f8
Signed by: b12f
GPG key ID: 729956E1124F8F26
6 changed files with 63 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
modules/wireguard/default.nix
View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}: {
{ ... }: {
imports = [
./private.nix
./tunnel.nix

34
modules/wireguard/ehex.nix
View file

@ -1,48 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.ehex;
in {
options.pub-solar.wireguard.ehex = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51822];
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
systemd.services.wireguard-wg-ehex = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-ehex = {
@ -50,7 +32,7 @@ in {
mtu = 1300;
ips = cfg.ownIPs;
privateKeyFile = cfg.privateKeyFile;
postSetup = ''
postSetup = ''
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
'';
postShutdown = ''

39
modules/wireguard/private.nix
View file

@ -4,65 +4,48 @@
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.private;
in {
options.pub-solar.wireguard.private = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = ''
Internal ips in wireguard used for cluster control-plane communication.
'';
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = ''
Location of private key file
'';
type = types.path;
type = lib.types.path;
};
useDNS = mkOption {
useDNS = lib.mkOption {
description = ''
Whether to use the wireguard DNS
'';
default = true;
type = types.bool;
type = lib.types.bool;
};
fullTunnel = mkOption {
fullTunnel = lib.mkOption {
description = ''
Whether to tunnel all traffic through the wireguard VPN
'';
default = false;
type = types.bool;
type = lib.types.bool;
};
};
config = mkIf (builtins.length cfg.ownIPs != 0) {
config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
networking.firewall.allowedUDPPorts = [51899];
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
systemd.services.wireguard-wg-private = {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "10";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-private = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-private = {

32
modules/wireguard/pub.solar.nix
View file

@ -1,48 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.pub-solar;
in {
options.pub-solar.wireguard.pub-solar = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51821];
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
systemd.services.wireguard-wg-pub-solar = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-pub-solar = {

17
modules/wireguard/service-override.nix Normal file
View file

@ -0,0 +1,17 @@
lib: {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "15";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
}

39
modules/wireguard/tunnel.nix
View file

@ -4,41 +4,40 @@
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.tunnel;
in {
options.pub-solar.wireguard.tunnel = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
peer = {
publicKey = mkOption {
publicKey = lib.mkOption {
description = "Public key of the peer";
type = types.str;
type = lib.types.str;
};
endpoint = mkOption {
endpoint = lib.mkOption {
description = "Peer endpoint address";
type = types.str;
type = lib.types.str;
};
};
useDNS = mkOption {
useDNS = lib.mkOption {
description = "Whether to use the DNS of the interface as default";
default = false;
type = types.bool;
type = lib.types.bool;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51820];
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
@ -63,7 +62,7 @@ in {
'';
serviceConfig = {
Type = mkForce "simple";
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
@ -74,15 +73,15 @@ in {
};
networking.wireguard.interfaces = let
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip;
isIPV4 = length splitEndpoint < 3;
splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
isIPV4 = lib.length splitEndpoint < 3;
ipFlag = if isIPV4 then "-4" else "-6";
endpointIP = (if isIPV4
then elemAt splitEndpoint 0
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint)
then lib.elemAt splitEndpoint 0
else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
);
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP);
endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
in {
wg-tunnel = {
listenPort = 51820;