migrate to systemd-networkd

2024-11-05 14:30:41 +00:00 · 2024-11-05 14:30:41 +00:00 · 3da6e7ce45
parent 7f2f906acc
commit 3da6e7ce45
1 changed files with 26 additions and 14 deletions
--- a/peering.nix
+++ b/peering.nix
@ -20,7 +20,7 @@ in
      type = with types; nullOr str;
    };
    interface = mkOption {
-      default = "birdsong";
+      default = "wg-birdsong";
      example = "wg0";
      description = "The name of the network interface to use for WireGuard.";
      type = types.str;
@ -69,28 +69,40 @@ in
    networking = {
      firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];

-      wireguard.interfaces.${cfg.interface} = {
-        ips = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
-          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-        privateKeyFile = cfg.privateKeyFile;
-        listenPort = host.port;
+      systemd.network.enable = true;

-        peers =
+      systemd.network.netdevs."30-birdsong" = {
+        netdevConfig = {
+          Name = cfg.interface;
+          Kind = "wireguard";
+          Description = "wireguard tunnel to the birdsong network";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = cfg.privateKeyFile;
+          ListenPort = host.port;
+        };
+        wireguardPeers =
          let
            canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
          in
          mapAttrsToList
            (name: peer: {
-              name = name;
-              publicKey = peer.wireguardKey;
-              allowedIPs = [ peer.ipv4 peer.ipv6 ]
-                ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-              endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
-              dynamicEndpointRefreshSeconds = mkIf (canDirectPeer host peer) 5;
-              persistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+              wireguardPeerConfig = {
+                PublicKey = peer.wireguardKey;
+                AllowedIPs = [ peer.ipv4 peer.ipv6 ]
+                  ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+                Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
+                PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+              };
            })
            (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
      };
+
+      systemd.network.networks."30-birdsong" = {
+        matchConfig.Name = cfg.interface;
+        networkConfig.Address = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
+          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+      };
    };
  };
 }