qenya/birdsong
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

migrate to systemd-networkd

Browse source
This commit is contained in:
Katherina Walshe-Grey 2024-11-05 14:30:41 +00:00
parent 7f2f906acc
commit ff06dcef7e
1 changed files with 28 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
peering.nix
View file

@ -20,7 +20,7 @@ in
type = with types; nullOr str; type = with types; nullOr str;
}; };
interface = mkOption { interface = mkOption {
default = "birdsong"; default = "wg-birdsong";
example = "wg0"; example = "wg0";
description = "The name of the network interface to use for WireGuard."; description = "The name of the network interface to use for WireGuard.";
type = types.str; type = types.str;
@ -66,31 +66,43 @@ in
"net.ipv6.conf.${cfg.interface}.forwarding" = true; "net.ipv6.conf.${cfg.interface}.forwarding" = true;
}; };
networking = { networking.firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
wireguard.interfaces.${cfg.interface} = { systemd.network = {
ips = [ "${host.ipv4}/16" "${host.ipv6}/48" ] enable = true;
++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
privateKeyFile = cfg.privateKeyFile;
listenPort = host.port;
peers = netdevs."30-birdsong" = {
netdevConfig = {
Name = cfg.interface;
Kind = "wireguard";
Description = "wireguard tunnel to the birdsong network";
};
wireguardConfig = {
PrivateKeyFile = cfg.privateKeyFile;
ListenPort = host.port;
};
wireguardPeers =
let let
canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet); canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
in in
mapAttrsToList mapAttrsToList
(name: peer: { (name: peer: {
name = name; wireguardPeerConfig = {
publicKey = peer.wireguardKey; PublicKey = peer.wireguardKey;
allowedIPs = [ peer.ipv4 peer.ipv6 ] AllowedIPs = [ peer.ipv4 peer.ipv6 ]
++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}"; Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
dynamicEndpointRefreshSeconds = mkIf (canDirectPeer host peer) 5; PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
persistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive; };
}) })
(filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts); (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
}; };
networks."30-birdsong" = {
matchConfig.Name = cfg.interface;
networkConfig.Address = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
};
}; };
}; };
} }