wireguard: remove with lib;, dedupe systemd service config

This commit is contained in:
Benjamin Yule Bädorf 2024-06-17 15:23:32 +02:00
parent 23af0457bb
commit ee611894f8
Signed by: b12f
GPG key ID: 729956E1124F8F26
6 changed files with 63 additions and 105 deletions

View file

@ -1,9 +1,4 @@
{ { ... }: {
lib,
config,
pkgs,
...
}: {
imports = [ imports = [
./private.nix ./private.nix
./tunnel.nix ./tunnel.nix

View file

@ -1,48 +1,30 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.ehex; cfg = config.pub-solar.wireguard.ehex;
in { in {
options.pub-solar.wireguard.ehex = { options.pub-solar.wireguard.ehex = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51822]; networking.firewall.allowedUDPPorts = [51822];
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
systemd.services.wireguard-wg-ehex = { systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-ehex = { wg-ehex = {
@ -50,7 +32,7 @@ in {
mtu = 1300; mtu = 1300;
ips = cfg.ownIPs; ips = cfg.ownIPs;
privateKeyFile = cfg.privateKeyFile; privateKeyFile = cfg.privateKeyFile;
postSetup = '' postSetup = ''
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
''; '';
postShutdown = '' postShutdown = ''

View file

@ -4,65 +4,48 @@
pkgs, pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.private; cfg = config.pub-solar.wireguard.private;
in { in {
options.pub-solar.wireguard.private = { options.pub-solar.wireguard.private = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = '' description = ''
Internal ips in wireguard used for cluster control-plane communication. Internal ips in wireguard used for cluster control-plane communication.
''; '';
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = '' description = ''
Location of private key file Location of private key file
''; '';
type = types.path; type = lib.types.path;
}; };
useDNS = mkOption { useDNS = lib.mkOption {
description = '' description = ''
Whether to use the wireguard DNS Whether to use the wireguard DNS
''; '';
default = true; default = true;
type = types.bool; type = lib.types.bool;
}; };
fullTunnel = mkOption { fullTunnel = lib.mkOption {
description = '' description = ''
Whether to tunnel all traffic through the wireguard VPN Whether to tunnel all traffic through the wireguard VPN
''; '';
default = false; default = false;
type = types.bool; type = lib.types.bool;
}; };
}; };
config = mkIf (builtins.length cfg.ownIPs != 0) { config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
networking.firewall.allowedUDPPorts = [51899]; networking.firewall.allowedUDPPorts = [51899];
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
systemd.services.wireguard-wg-private = { systemd.services.wireguard-wg-private = import ./service-override.nix lib;
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "10";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-private = { wg-private = {

View file

@ -1,48 +1,30 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.pub-solar; cfg = config.pub-solar.wireguard.pub-solar;
in { in {
options.pub-solar.wireguard.pub-solar = { options.pub-solar.wireguard.pub-solar = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51821]; networking.firewall.allowedUDPPorts = [51821];
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
systemd.services.wireguard-wg-pub-solar = { systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-pub-solar = { wg-pub-solar = {

View file

@ -0,0 +1,17 @@
lib: {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "15";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
}

View file

@ -4,41 +4,40 @@
pkgs, pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.tunnel; cfg = config.pub-solar.wireguard.tunnel;
in { in {
options.pub-solar.wireguard.tunnel = { options.pub-solar.wireguard.tunnel = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
peer = { peer = {
publicKey = mkOption { publicKey = lib.mkOption {
description = "Public key of the peer"; description = "Public key of the peer";
type = types.str; type = lib.types.str;
}; };
endpoint = mkOption { endpoint = lib.mkOption {
description = "Peer endpoint address"; description = "Peer endpoint address";
type = types.str; type = lib.types.str;
}; };
}; };
useDNS = mkOption { useDNS = lib.mkOption {
description = "Whether to use the DNS of the interface as default"; description = "Whether to use the DNS of the interface as default";
default = false; default = false;
type = types.bool; type = lib.types.bool;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51820]; networking.firewall.allowedUDPPorts = [51820];
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
@ -63,7 +62,7 @@ in {
''; '';
serviceConfig = { serviceConfig = {
Type = mkForce "simple"; Type = lib.mkForce "simple";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "30"; RestartSec = "30";
}; };
@ -74,15 +73,15 @@ in {
}; };
networking.wireguard.interfaces = let networking.wireguard.interfaces = let
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint); splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip; joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
isIPV4 = length splitEndpoint < 3; isIPV4 = lib.length splitEndpoint < 3;
ipFlag = if isIPV4 then "-4" else "-6"; ipFlag = if isIPV4 then "-4" else "-6";
endpointIP = (if isIPV4 endpointIP = (if isIPV4
then elemAt splitEndpoint 0 then lib.elemAt splitEndpoint 0
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint) else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
); );
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP); endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
in { in {
wg-tunnel = { wg-tunnel = {
listenPort = 51820; listenPort = 51820;