birdsong: begin modularising wireguard config

2024-07-24 22:32:49 +01:00 · 2024-07-24 22:32:49 +01:00 · 5d258de497
commit 5d258de497
parent 5f70f26e98
4 changed files with 75 additions and 16 deletions
--- a/hosts/tohru/wireguard.nix
+++ b/hosts/tohru/wireguard.nix
@ -3,21 +3,13 @@
 {
  age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age;
-  networking = {
+  birdsong.peer = {
-    firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ];
+    enable = true;
    wireguard.interfaces.wg0 = {
      ips = [ "10.127.1.3/24" "fd70:81ca:0f8f:1::3/64" ];
      listenPort = 51821;
    privateKeyFile = config.age.secrets.wireguard-peer-tohru.path;
-      peers = [
+    listenPort = 51821;
        {
          publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=";
          allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ];
          endpoint = "birdsong.network:51820";
    persistentKeepalive = 23;
        }
      ];
    };
  };
  # TODO: get this from a list of peers, keyed on hostname
  networking.wireguard.interfaces.birdsong.ips = [ "10.127.1.3/24" "fd70:81ca:0f8f:1::3/64" ];
 }
--- a/services/birdsong/default.nix
+++ b/services/birdsong/default.nix
@ -0,0 +1,5 @@
 {
  imports = [
    ./peer.nix
  ];
 }
--- a/services/birdsong/peer.nix
+++ b/services/birdsong/peer.nix
@ -0,0 +1,61 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.birdsong.peer;
 in
 {
  options.birdsong.peer = {
    enable = mkEnableOption "WireGuard peering with the birdsong network";
    interface = mkOption {
      default = "birdsong";
      description = "The name of the network interface to use for WireGuard.";
      type = types.str;
    };
    openPorts = mkOption {
      default = true;
      description = "Whether to automatically open firewall ports.";
      type = types.bool;
    };
    privateKeyFile = mkOption {
      description = "Path to the private key for this peer, as generated by `wg genkey`.";
      type = types.path;
    };
    listenPort = mkOption {
      default = 51820;
      example = 51821;
      description = "Which port to expose WireGuard on. Change this if you are behind NAT, to a port not used by another peer in the same LAN.";
      type = types.port;
    };
    persistentKeepalive = mkOption {
      default = null;
      example = 23;
      description = "Constantly ping the hub this often, in seconds, in order to keep the WireGuard tunnel open. Set this if you are behind NAT to keep the NAT session active. To avoid syncing, this should ideally be a prime number that is not shared by another peer in the same LAN.";
      type = types.nullOr types.int;
    };
  };
  config = mkIf cfg.enable {
    assertions = [{
      assertion = cfg.privateKeyFile != null;
      message = "birdsong.peer.privateKeyFile must be set";
    }];
    networking = {
      firewall.allowedUDPPorts = mkIf cfg.openPorts [ cfg.listenPort ];
      wireguard.interfaces.${cfg.interface} = {
        listenPort = cfg.listenPort;
        privateKeyFile = cfg.privateKeyFile;
        peers = [
          {
            publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=";
            allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ];
            endpoint = "birdsong.network:51820";
            persistentKeepalive = cfg.persistentKeepalive;
          }
        ];
      };
    };
  };
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./birdsong
    ./fonts.nix
    ./forgejo.nix
    ./steam.nix