From 5d258de4973523ae6bd025fe761feccabf564a73 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 24 Jul 2024 22:32:49 +0100 Subject: [PATCH] birdsong: begin modularising wireguard config --- hosts/tohru/wireguard.nix | 24 +++++--------- services/birdsong/default.nix | 5 +++ services/birdsong/peer.nix | 61 +++++++++++++++++++++++++++++++++++ services/default.nix | 1 + 4 files changed, 75 insertions(+), 16 deletions(-) create mode 100644 services/birdsong/default.nix create mode 100644 services/birdsong/peer.nix diff --git a/hosts/tohru/wireguard.nix b/hosts/tohru/wireguard.nix index dc52429..bca2cd6 100644 --- a/hosts/tohru/wireguard.nix +++ b/hosts/tohru/wireguard.nix @@ -3,21 +3,13 @@ { age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; - networking = { - firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ]; - - wireguard.interfaces.wg0 = { - ips = [ "10.127.1.3/24" "fd70:81ca:0f8f:1::3/64" ]; - listenPort = 51821; - privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; - peers = [ - { - publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA="; - allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ]; - endpoint = "birdsong.network:51820"; - persistentKeepalive = 23; - } - ]; - }; + birdsong.peer = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; + listenPort = 51821; + persistentKeepalive = 23; }; + + # TODO: get this from a list of peers, keyed on hostname + networking.wireguard.interfaces.birdsong.ips = [ "10.127.1.3/24" "fd70:81ca:0f8f:1::3/64" ]; } diff --git a/services/birdsong/default.nix b/services/birdsong/default.nix new file mode 100644 index 0000000..4e37405 --- /dev/null +++ b/services/birdsong/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./peer.nix + ]; +} \ No newline at end of file diff --git a/services/birdsong/peer.nix b/services/birdsong/peer.nix new file mode 100644 index 0000000..706310c --- /dev/null +++ b/services/birdsong/peer.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.birdsong.peer; +in +{ + options.birdsong.peer = { + enable = mkEnableOption "WireGuard peering with the birdsong network"; + interface = mkOption { + default = "birdsong"; + description = "The name of the network interface to use for WireGuard."; + type = types.str; + }; + openPorts = mkOption { + default = true; + description = "Whether to automatically open firewall ports."; + type = types.bool; + }; + privateKeyFile = mkOption { + description = "Path to the private key for this peer, as generated by `wg genkey`."; + type = types.path; + }; + listenPort = mkOption { + default = 51820; + example = 51821; + description = "Which port to expose WireGuard on. Change this if you are behind NAT, to a port not used by another peer in the same LAN."; + type = types.port; + }; + persistentKeepalive = mkOption { + default = null; + example = 23; + description = "Constantly ping the hub this often, in seconds, in order to keep the WireGuard tunnel open. Set this if you are behind NAT to keep the NAT session active. To avoid syncing, this should ideally be a prime number that is not shared by another peer in the same LAN."; + type = types.nullOr types.int; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg.privateKeyFile != null; + message = "birdsong.peer.privateKeyFile must be set"; + }]; + + networking = { + firewall.allowedUDPPorts = mkIf cfg.openPorts [ cfg.listenPort ]; + + wireguard.interfaces.${cfg.interface} = { + listenPort = cfg.listenPort; + privateKeyFile = cfg.privateKeyFile; + peers = [ + { + publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA="; + allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ]; + endpoint = "birdsong.network:51820"; + persistentKeepalive = cfg.persistentKeepalive; + } + ]; + }; + }; + }; +} diff --git a/services/default.nix b/services/default.nix index 7c73723..304281d 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./birdsong ./fonts.nix ./forgejo.nix ./steam.nix