wireguard: remove with lib;
, dedupe systemd service config
This commit is contained in:
parent
23af0457bb
commit
ee611894f8
|
@ -1,9 +1,4 @@
|
||||||
{
|
{ ... }: {
|
||||||
lib,
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
imports = [
|
||||||
./private.nix
|
./private.nix
|
||||||
./tunnel.nix
|
./tunnel.nix
|
||||||
|
|
|
@ -1,48 +1,30 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.ehex;
|
cfg = config.pub-solar.wireguard.ehex;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.ehex = {
|
options.pub-solar.wireguard.ehex = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51822];
|
networking.firewall.allowedUDPPorts = [51822];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-ehex = {
|
systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "30";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-ehex = {
|
wg-ehex = {
|
||||||
|
@ -50,7 +32,7 @@ in {
|
||||||
mtu = 1300;
|
mtu = 1300;
|
||||||
ips = cfg.ownIPs;
|
ips = cfg.ownIPs;
|
||||||
privateKeyFile = cfg.privateKeyFile;
|
privateKeyFile = cfg.privateKeyFile;
|
||||||
postSetup = ''
|
postSetup = ''
|
||||||
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
|
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
|
||||||
'';
|
'';
|
||||||
postShutdown = ''
|
postShutdown = ''
|
||||||
|
|
|
@ -4,65 +4,48 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.private;
|
cfg = config.pub-solar.wireguard.private;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.private = {
|
options.pub-solar.wireguard.private = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Internal ips in wireguard used for cluster control-plane communication.
|
Internal ips in wireguard used for cluster control-plane communication.
|
||||||
'';
|
'';
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Location of private key file
|
Location of private key file
|
||||||
'';
|
'';
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
useDNS = mkOption {
|
useDNS = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Whether to use the wireguard DNS
|
Whether to use the wireguard DNS
|
||||||
'';
|
'';
|
||||||
default = true;
|
default = true;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
|
|
||||||
fullTunnel = mkOption {
|
fullTunnel = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Whether to tunnel all traffic through the wireguard VPN
|
Whether to tunnel all traffic through the wireguard VPN
|
||||||
'';
|
'';
|
||||||
default = false;
|
default = false;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (builtins.length cfg.ownIPs != 0) {
|
config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
|
||||||
networking.firewall.allowedUDPPorts = [51899];
|
networking.firewall.allowedUDPPorts = [51899];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-private = {
|
systemd.services.wireguard-wg-private = import ./service-override.nix lib;
|
||||||
wantedBy = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "10";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-private = {
|
wg-private = {
|
||||||
|
|
|
@ -1,48 +1,30 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.pub-solar;
|
cfg = config.pub-solar.wireguard.pub-solar;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.pub-solar = {
|
options.pub-solar.wireguard.pub-solar = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51821];
|
networking.firewall.allowedUDPPorts = [51821];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-pub-solar = {
|
systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "30";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-pub-solar = {
|
wg-pub-solar = {
|
||||||
|
|
17
modules/wireguard/service-override.nix
Normal file
17
modules/wireguard/service-override.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
lib: {
|
||||||
|
wantedBy = [
|
||||||
|
"network.target"
|
||||||
|
"network-online.target"
|
||||||
|
"nss-lookup.target"
|
||||||
|
];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = lib.mkForce "simple";
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = "15";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
||||||
|
};
|
||||||
|
}
|
|
@ -4,41 +4,40 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.tunnel;
|
cfg = config.pub-solar.wireguard.tunnel;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.tunnel = {
|
options.pub-solar.wireguard.tunnel = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
peer = {
|
peer = {
|
||||||
publicKey = mkOption {
|
publicKey = lib.mkOption {
|
||||||
description = "Public key of the peer";
|
description = "Public key of the peer";
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
endpoint = mkOption {
|
endpoint = lib.mkOption {
|
||||||
description = "Peer endpoint address";
|
description = "Peer endpoint address";
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
useDNS = mkOption {
|
useDNS = lib.mkOption {
|
||||||
description = "Whether to use the DNS of the interface as default";
|
description = "Whether to use the DNS of the interface as default";
|
||||||
default = false;
|
default = false;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51820];
|
networking.firewall.allowedUDPPorts = [51820];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
|
||||||
|
@ -63,7 +62,7 @@ in {
|
||||||
'';
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = mkForce "simple";
|
Type = lib.mkForce "simple";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "30";
|
RestartSec = "30";
|
||||||
};
|
};
|
||||||
|
@ -74,15 +73,15 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.wireguard.interfaces = let
|
networking.wireguard.interfaces = let
|
||||||
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint);
|
splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
|
||||||
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip;
|
joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
|
||||||
isIPV4 = length splitEndpoint < 3;
|
isIPV4 = lib.length splitEndpoint < 3;
|
||||||
ipFlag = if isIPV4 then "-4" else "-6";
|
ipFlag = if isIPV4 then "-4" else "-6";
|
||||||
endpointIP = (if isIPV4
|
endpointIP = (if isIPV4
|
||||||
then elemAt splitEndpoint 0
|
then lib.elemAt splitEndpoint 0
|
||||||
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint)
|
else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
|
||||||
);
|
);
|
||||||
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP);
|
endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
|
||||||
in {
|
in {
|
||||||
wg-tunnel = {
|
wg-tunnel = {
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
|
|
Loading…
Reference in a new issue