migrate to systemd-networkd

2024-11-05 14:30:41 +00:00 · 2024-11-05 14:30:41 +00:00 · ee6c180368
parent 7f2f906acc
commit ee6c180368
1 changed files with 30 additions and 18 deletions
--- a/peering.nix
+++ b/peering.nix
@ -20,7 +20,7 @@ in
      type = with types; nullOr str;
    };
    interface = mkOption {
-      default = "birdsong";
+      default = "wg-birdsong";
      example = "wg0";
      description = "The name of the network interface to use for WireGuard.";
      type = types.str;
@ -35,7 +35,7 @@ in
      type = types.path;
    };
    persistentKeepalive = mkOption {
-      default = null;
+      default = 0;
      example = 23;
      description = ''
        Constantly ping each peer outside the LAN this often, in seconds, in
@ -43,7 +43,7 @@ in
        to keep the NAT session active, or if you have a dynamic IP to keep the
        other peers aware when your IP changes. To avoid syncing, this should
        ideally be a prime number that is not shared by another peer in the same
-        LAN.
+        LAN. 0 (the default) disables this.
      '';
      type = with types; nullOr int;
    };
@ -66,31 +66,43 @@ in
      "net.ipv6.conf.${cfg.interface}.forwarding" = true;
    };

-    networking = {
-      firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
+    networking.firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];

-      wireguard.interfaces.${cfg.interface} = {
-        ips = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
-          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-        privateKeyFile = cfg.privateKeyFile;
-        listenPort = host.port;
+    systemd.network = {
+      enable = true;

-        peers =
+      netdevs."30-birdsong" = {
+        netdevConfig = {
+          Name = cfg.interface;
+          Kind = "wireguard";
+          Description = "wireguard tunnel to the birdsong network";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = cfg.privateKeyFile;
+          ListenPort = host.port;
+        };
+        wireguardPeers =
          let
            canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
          in
          mapAttrsToList
            (name: peer: {
-              name = name;
-              publicKey = peer.wireguardKey;
-              allowedIPs = [ peer.ipv4 peer.ipv6 ]
+              wireguardPeerConfig = {
+                PublicKey = peer.wireguardKey;
+                AllowedIPs = [ peer.ipv4 peer.ipv6 ]
                  ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-              endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
-              dynamicEndpointRefreshSeconds = mkIf (canDirectPeer host peer) 5;
-              persistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+                Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
+                PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+              };
            })
            (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
      };
+
+      networks."30-birdsong" = {
+        matchConfig.Name = cfg.interface;
+        networkConfig.Address = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
+          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+      };
    };
  };
 }