From ee611894f8dcbd680ab9e38939373e7ff64321a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Mon, 17 Jun 2024 15:23:32 +0200 Subject: [PATCH] wireguard: remove `with lib;`, dedupe systemd service config --- modules/wireguard/default.nix | 7 +---- modules/wireguard/ehex.nix | 34 ++++++---------------- modules/wireguard/private.nix | 39 ++++++++------------------ modules/wireguard/pub.solar.nix | 32 +++++---------------- modules/wireguard/service-override.nix | 17 +++++++++++ modules/wireguard/tunnel.nix | 39 +++++++++++++------------- 6 files changed, 63 insertions(+), 105 deletions(-) create mode 100644 modules/wireguard/service-override.nix diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index b03e115..f4f4948 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -1,9 +1,4 @@ -{ - lib, - config, - pkgs, - ... -}: { +{ ... }: { imports = [ ./private.nix ./tunnel.nix diff --git a/modules/wireguard/ehex.nix b/modules/wireguard/ehex.nix index 2f13c64..7a8e6e7 100644 --- a/modules/wireguard/ehex.nix +++ b/modules/wireguard/ehex.nix @@ -1,48 +1,30 @@ { lib, config, - pkgs, ... }: -with lib; let - psCfg = config.pub-solar; +let cfg = config.pub-solar.wireguard.ehex; in { options.pub-solar.wireguard.ehex = { - ownIPs = mkOption { + ownIPs = lib.mkOption { description = "Internal ips in wireguard used for cluster control-plane communication."; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; default = []; }; - privateKeyFile = mkOption { + privateKeyFile = lib.mkOption { description = "Location of private key file"; - type = types.path; + type = lib.types.path; }; }; - config = mkIf (length cfg.ownIPs != 0){ + config = lib.mkIf (lib.length cfg.ownIPs != 0){ networking.firewall.allowedUDPPorts = [51822]; systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ]; - systemd.services.wireguard-wg-ehex = { - after = [ - "network.target" - "network-online.target" - "nss-lookup.target" - ]; - - serviceConfig = { - Type = mkForce "simple"; - Restart = "on-failure"; - RestartSec = "30"; - }; - - environment = { - WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; - }; - }; + systemd.services.wireguard-wg-ehex = import ./service-override.nix lib; networking.wireguard.interfaces = { wg-ehex = { @@ -50,7 +32,7 @@ in { mtu = 1300; ips = cfg.ownIPs; privateKeyFile = cfg.privateKeyFile; - postSetup = '' + postSetup = '' printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x ''; postShutdown = '' diff --git a/modules/wireguard/private.nix b/modules/wireguard/private.nix index 3d4e196..407b3dd 100644 --- a/modules/wireguard/private.nix +++ b/modules/wireguard/private.nix @@ -4,65 +4,48 @@ pkgs, ... }: -with lib; let - psCfg = config.pub-solar; +let cfg = config.pub-solar.wireguard.private; in { options.pub-solar.wireguard.private = { - ownIPs = mkOption { + ownIPs = lib.mkOption { description = '' Internal ips in wireguard used for cluster control-plane communication. ''; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; default = []; }; - privateKeyFile = mkOption { + privateKeyFile = lib.mkOption { description = '' Location of private key file ''; - type = types.path; + type = lib.types.path; }; - useDNS = mkOption { + useDNS = lib.mkOption { description = '' Whether to use the wireguard DNS ''; default = true; - type = types.bool; + type = lib.types.bool; }; - fullTunnel = mkOption { + fullTunnel = lib.mkOption { description = '' Whether to tunnel all traffic through the wireguard VPN ''; default = false; - type = types.bool; + type = lib.types.bool; }; }; - config = mkIf (builtins.length cfg.ownIPs != 0) { + config = lib.mkIf (builtins.length cfg.ownIPs != 0) { networking.firewall.allowedUDPPorts = [51899]; systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ]; - systemd.services.wireguard-wg-private = { - wantedBy = [ - "network.target" - "network-online.target" - "nss-lookup.target" - ]; - - serviceConfig = { - Type = mkForce "simple"; - Restart = "on-failure"; - RestartSec = "10"; - }; - - environment = { - WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; - }; - }; + systemd.services.wireguard-wg-private = import ./service-override.nix lib; networking.wireguard.interfaces = { wg-private = { diff --git a/modules/wireguard/pub.solar.nix b/modules/wireguard/pub.solar.nix index 3943b58..d28fb8d 100644 --- a/modules/wireguard/pub.solar.nix +++ b/modules/wireguard/pub.solar.nix @@ -1,48 +1,30 @@ { lib, config, - pkgs, ... }: -with lib; let - psCfg = config.pub-solar; +let cfg = config.pub-solar.wireguard.pub-solar; in { options.pub-solar.wireguard.pub-solar = { - ownIPs = mkOption { + ownIPs = lib.mkOption { description = "Internal ips in wireguard used for cluster control-plane communication."; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; default = []; }; - privateKeyFile = mkOption { + privateKeyFile = lib.mkOption { description = "Location of private key file"; - type = types.path; + type = lib.types.path; }; }; - config = mkIf (length cfg.ownIPs != 0){ + config = lib.mkIf (lib.length cfg.ownIPs != 0){ networking.firewall.allowedUDPPorts = [51821]; systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ]; - systemd.services.wireguard-wg-pub-solar = { - after = [ - "network.target" - "network-online.target" - "nss-lookup.target" - ]; - - serviceConfig = { - Type = mkForce "simple"; - Restart = "on-failure"; - RestartSec = "30"; - }; - - environment = { - WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; - }; - }; + systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib; networking.wireguard.interfaces = { wg-pub-solar = { diff --git a/modules/wireguard/service-override.nix b/modules/wireguard/service-override.nix new file mode 100644 index 0000000..a010b5a --- /dev/null +++ b/modules/wireguard/service-override.nix @@ -0,0 +1,17 @@ +lib: { + wantedBy = [ + "network.target" + "network-online.target" + "nss-lookup.target" + ]; + + serviceConfig = { + Type = lib.mkForce "simple"; + Restart = "on-failure"; + RestartSec = "15"; + }; + + environment = { + WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + }; +} diff --git a/modules/wireguard/tunnel.nix b/modules/wireguard/tunnel.nix index a01ab65..2bfe943 100644 --- a/modules/wireguard/tunnel.nix +++ b/modules/wireguard/tunnel.nix @@ -4,41 +4,40 @@ pkgs, ... }: -with lib; let - psCfg = config.pub-solar; +let cfg = config.pub-solar.wireguard.tunnel; in { options.pub-solar.wireguard.tunnel = { - ownIPs = mkOption { + ownIPs = lib.mkOption { description = "Internal ips in wireguard used for cluster control-plane communication."; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; default = []; }; - privateKeyFile = mkOption { + privateKeyFile = lib.mkOption { description = "Location of private key file"; - type = types.path; + type = lib.types.path; }; peer = { - publicKey = mkOption { + publicKey = lib.mkOption { description = "Public key of the peer"; - type = types.str; + type = lib.types.str; }; - endpoint = mkOption { + endpoint = lib.mkOption { description = "Peer endpoint address"; - type = types.str; + type = lib.types.str; }; }; - useDNS = mkOption { + useDNS = lib.mkOption { description = "Whether to use the DNS of the interface as default"; default = false; - type = types.bool; + type = lib.types.bool; }; }; - config = mkIf (length cfg.ownIPs != 0){ + config = lib.mkIf (lib.length cfg.ownIPs != 0){ networking.firewall.allowedUDPPorts = [51820]; systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ]; @@ -63,7 +62,7 @@ in { ''; serviceConfig = { - Type = mkForce "simple"; + Type = lib.mkForce "simple"; Restart = "on-failure"; RestartSec = "30"; }; @@ -74,15 +73,15 @@ in { }; networking.wireguard.interfaces = let - splitEndpoint = (strings.splitString ":" cfg.peer.endpoint); - joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip; - isIPV4 = length splitEndpoint < 3; + splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint); + joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip; + isIPV4 = lib.length splitEndpoint < 3; ipFlag = if isIPV4 then "-4" else "-6"; endpointIP = (if isIPV4 - then elemAt splitEndpoint 0 - else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint) + then lib.elemAt splitEndpoint 0 + else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint) ); - endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP); + endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP); in { wg-tunnel = { listenPort = 51820;