diff options
| author | tv <tv@krebsco.de> | 2019-09-11 10:34:02 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2019-09-11 10:34:02 +0200 |
| commit | 0182f1bd64973e93d4cf4c30b6005708b7e09240 (patch) | |
| tree | f5a318fee1572b9b35f9f321d4ac707bc7935792 /makefu/2configs/wireguard | |
| parent | e388d02623b98bad5db52b29ea1ef1f494fddae8 (diff) | |
| parent | 5d24345ff430df38263c113041070a900c23131e (diff) | |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/wireguard')
| -rw-r--r-- | makefu/2configs/wireguard/wiregrill.nix | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/makefu/2configs/wireguard/wiregrill.nix b/makefu/2configs/wireguard/wiregrill.nix new file mode 100644 index 000000000..082090755 --- /dev/null +++ b/makefu/2configs/wireguard/wiregrill.nix @@ -0,0 +1,46 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wiregrill; + isRouter = !isNull self.via; # via "internet" is not set + ext-if = config.makefu.server.primary-itf; + +in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + + networking.firewall = { + allowedUDPPorts = [ self.wireguard.port ]; + extraCommands = '' + iptables -A FORWARD -i wiregrill -o wiregrill -j ACCEPT + ''; + }; + + networking.wireguard.interfaces.wiregrill = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = self.wireguard.port; + privateKeyFile = (toString <secrets>) + "/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ + (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) + else + host.nets.wiregrill.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; + publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey); + }) + (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; +} |