qenya/nixfiles
1
0
Fork 0
Code Issues 4 Pull requests Activity Actions

birdsong: fully modularise existing wireguard config

Browse source
This commit is contained in:
Katherina Walshe-Grey 2024-07-25 07:52:43 +01:00
parent 5b79e6826b
commit e90afae7ac
6 changed files with 197 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

74
services/birdsong/peer.nix
View file

@ -3,12 +3,25 @@
with lib;
let
cfg = config.birdsong.peer;
hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
hosts = config.birdsong.hosts;
host = hosts.${hostName};
in
{
options.birdsong.peer = {
enable = mkEnableOption "WireGuard peering with the birdsong network";
hostName = mkOption {
default = null;
description = ''
The hostname of this peer within the network. Must be listed in
{option}`birdsong.hosts`. If not set, defaults to
{option}`networking.hostName`.
'';
type = with types; nullOr str;
};
interface = mkOption {
default = "birdsong";
example = "wg0";
description = "The name of the network interface to use for WireGuard.";
type = types.str;
};
@ -21,40 +34,57 @@ in
description = "Path to the private key for this peer, as generated by `wg genkey`.";
type = types.path;
};
listenPort = mkOption {
default = 51820;
example = 51821;
description = "Which port to expose WireGuard on. Change this if you are behind NAT, to a port not used by another peer in the same LAN.";
type = types.port;
};
persistentKeepalive = mkOption {
default = null;
example = 23;
description = "Constantly ping the hub this often, in seconds, in order to keep the WireGuard tunnel open. Set this if you are behind NAT to keep the NAT session active. To avoid syncing, this should ideally be a prime number that is not shared by another peer in the same LAN.";
type = types.nullOr types.int;
description = ''
Constantly ping each peer outside the LAN this often, in seconds, in
order to keep the WireGuard tunnel open. Set this if you are behind NAT
to keep the NAT session active, or if you have a dynamic IP to keep the
other peers aware when your IP changes. To avoid syncing, this should
ideally be a prime number that is not shared by another peer in the same
LAN.
'';
type = with types; nullOr int;
};
};
config = mkIf cfg.enable {
assertions = [{
assertion = cfg.privateKeyFile != null;
message = "birdsong.peer.privateKeyFile must be set";
}];
assertions = [
{
assertion = cfg ? privateKeyFile;
message = "birdsong.peer.privateKeyFile must be set";
}
{
assertion = hostName != null;
message = "birdsong.peer.hostName or networking.hostName must be set";
}
];
networking = {
firewall.allowedUDPPorts = mkIf cfg.openPorts [ cfg.listenPort ];
firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
wireguard.interfaces.${cfg.interface} = {
listenPort = cfg.listenPort;
ips = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
privateKeyFile = cfg.privateKeyFile;
peers = [
{
publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=";
allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ];
endpoint = "birdsong.network:51820";
persistentKeepalive = cfg.persistentKeepalive;
}
];
listenPort = host.port;
peers =
let
canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
in
mapAttrsToList
(name: peer: {
name = name;
publicKey = peer.wireguardKey;
allowedIPs = [ peer.ipv4 peer.ipv6 ]
++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
dynamicEndpointRefreshSeconds = mkIf (canDirectPeer host peer) 5;
persistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
})
(filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
};
};
};