From 71be15629e7ecc7b14c1e5f24655026ea3bf33a4 Mon Sep 17 00:00:00 2001 From: Asyncnomi Date: Tue, 22 Jul 2025 20:50:48 +0200 Subject: [PATCH] simplified mesh --- secrets/secrets.nix | 24 ++--- ...2-id-14.age => wg-private-zone-2-id-1.age} | 0 ...-id-23.age => wg-private-zone-2-id-10.age} | Bin ...-id-24.age => wg-private-zone-2-id-11.age} | 0 ...-id-25.age => wg-private-zone-2-id-12.age} | 0 ...2-id-15.age => wg-private-zone-2-id-2.age} | 0 ...2-id-16.age => wg-private-zone-2-id-3.age} | 0 ...2-id-17.age => wg-private-zone-2-id-4.age} | 0 ...2-id-18.age => wg-private-zone-2-id-5.age} | Bin ...2-id-19.age => wg-private-zone-2-id-6.age} | 0 ...2-id-20.age => wg-private-zone-2-id-7.age} | 0 ...2-id-21.age => wg-private-zone-2-id-8.age} | Bin ...2-id-22.age => wg-private-zone-2-id-9.age} | 0 shared/commons/mesh.nix | 85 +++++++----------- 14 files changed, 45 insertions(+), 64 deletions(-) rename secrets/wireguard/{wg-private-zone-2-id-14.age => wg-private-zone-2-id-1.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-23.age => wg-private-zone-2-id-10.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-24.age => wg-private-zone-2-id-11.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-25.age => wg-private-zone-2-id-12.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-15.age => wg-private-zone-2-id-2.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-16.age => wg-private-zone-2-id-3.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-17.age => wg-private-zone-2-id-4.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-18.age => wg-private-zone-2-id-5.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-19.age => wg-private-zone-2-id-6.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-20.age => wg-private-zone-2-id-7.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-21.age => wg-private-zone-2-id-8.age} (100%) rename secrets/wireguard/{wg-private-zone-2-id-22.age => wg-private-zone-2-id-9.age} (100%) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a4fc9dc..de9f8d6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -57,18 +57,18 @@ in "wireguard/wg-private-zone-1-id-13.age".publicKeys = system-wg ++ users; # Zone 2 (Rennes) - "wireguard/wg-private-zone-2-id-14.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-15.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-16.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-17.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-18.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-19.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-20.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-21.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-22.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-23.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-24.age".publicKeys = system-wg ++ users; - "wireguard/wg-private-zone-2-id-25.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-1.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-2.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-3.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-4.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-5.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-6.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-7.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-8.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-9.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-10.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-11.age".publicKeys = system-wg ++ users; + "wireguard/wg-private-zone-2-id-12.age".publicKeys = system-wg ++ users; # Bastion secrets diff --git a/secrets/wireguard/wg-private-zone-2-id-14.age b/secrets/wireguard/wg-private-zone-2-id-1.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-14.age rename to secrets/wireguard/wg-private-zone-2-id-1.age diff --git a/secrets/wireguard/wg-private-zone-2-id-23.age b/secrets/wireguard/wg-private-zone-2-id-10.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-23.age rename to secrets/wireguard/wg-private-zone-2-id-10.age diff --git a/secrets/wireguard/wg-private-zone-2-id-24.age b/secrets/wireguard/wg-private-zone-2-id-11.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-24.age rename to secrets/wireguard/wg-private-zone-2-id-11.age diff --git a/secrets/wireguard/wg-private-zone-2-id-25.age b/secrets/wireguard/wg-private-zone-2-id-12.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-25.age rename to secrets/wireguard/wg-private-zone-2-id-12.age diff --git a/secrets/wireguard/wg-private-zone-2-id-15.age b/secrets/wireguard/wg-private-zone-2-id-2.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-15.age rename to secrets/wireguard/wg-private-zone-2-id-2.age diff --git a/secrets/wireguard/wg-private-zone-2-id-16.age b/secrets/wireguard/wg-private-zone-2-id-3.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-16.age rename to secrets/wireguard/wg-private-zone-2-id-3.age diff --git a/secrets/wireguard/wg-private-zone-2-id-17.age b/secrets/wireguard/wg-private-zone-2-id-4.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-17.age rename to secrets/wireguard/wg-private-zone-2-id-4.age diff --git a/secrets/wireguard/wg-private-zone-2-id-18.age b/secrets/wireguard/wg-private-zone-2-id-5.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-18.age rename to secrets/wireguard/wg-private-zone-2-id-5.age diff --git a/secrets/wireguard/wg-private-zone-2-id-19.age b/secrets/wireguard/wg-private-zone-2-id-6.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-19.age rename to secrets/wireguard/wg-private-zone-2-id-6.age diff --git a/secrets/wireguard/wg-private-zone-2-id-20.age b/secrets/wireguard/wg-private-zone-2-id-7.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-20.age rename to secrets/wireguard/wg-private-zone-2-id-7.age diff --git a/secrets/wireguard/wg-private-zone-2-id-21.age b/secrets/wireguard/wg-private-zone-2-id-8.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-21.age rename to secrets/wireguard/wg-private-zone-2-id-8.age diff --git a/secrets/wireguard/wg-private-zone-2-id-22.age b/secrets/wireguard/wg-private-zone-2-id-9.age similarity index 100% rename from secrets/wireguard/wg-private-zone-2-id-22.age rename to secrets/wireguard/wg-private-zone-2-id-9.age diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix index 60e17f8..9a32b59 100644 --- a/shared/commons/mesh.nix +++ b/shared/commons/mesh.nix @@ -19,71 +19,52 @@ let }; generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes; - shorten = peerName: let - parts = lib.splitString "-" peerName; - shortened = lib.concatStrings (map (part: lib.substring 0 1 part) parts); - in shortened; - - # Filter itself out of the peer list - peerConfigs = lib.filterAttrs (_peerName: peerConfig: peerConfig.id != myId) nodes; - - # We'll make one if per peer, this is more flexible - interfacePeers = lib.flatten (lib.mapAttrsToList (peerName: peerConfig: let - remoteId = peerConfig.id; - remoteZone = peerConfig.zone; - - # The mesh is for now only IPv4 based - if4 = { - "mesh-${shorten peerName}-${toString remoteZone}-${toString remoteId}" = { + generateWireGuardInterface = nodesConfig: let + myPeer = nodesConfig."${config.hostName}"; + myZone = myPeer.zone; + myId = myPeer.id; + + # Filter itself out of the peer list + peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig; + + peers = lib.mapAttrsToList (peerName: peerConfig: { + name = "${peerName}"; + publicKey = peerConfig.wg-pub; + allowedIPs = [ + "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32" + "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128" + ] ++ lib.optionals (lib.elem peerName mapping.bastion) [ + "172.19.${toString (peerConfig.zone + 127)}.0/24" + "fc00:f::${toString (peerConfig.zone + 127)}:0/112" + ]; + endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820"; + persistentKeepalive = 25; + }) peerConfigs; + + interface = { + "mesh" = { ips = [ - "172.19.0.${toString myId}/32" - "172.19.${toString myId}.${toString remoteId}/32" - "fc00::${toString myId}/128" - "fc00::${toString myId}:${toString remoteId}/128" + "172.19.${toString myZone}.${toString myId}/16" + "fc00::${toString myZone}:${toString myId}/96" ]; privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path; - listenPort = 51000 + remoteId; - peers = [{ - name = "${peerName}-ip4"; - publicKey = peerConfig.wg-pub; - allowedIPs = [ - # Allow mesh trafic - "172.19.0.${toString peerConfig.id}/32" - "172.19.${toString peerConfig.id}.0/24" - "fc00::${toString peerConfig.id}:0/96" - # Allow mgmt transport - "172.19.128.0/17" - "fc00:f::/96" - ]; - endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:${toString (51000 + myId)}"; - persistentKeepalive = 25; - }]; - # Throw away route created by wireguard - table = "off"; + listenPort = 51820; + peers = peers; }; }; + in interface; - in if4) peerConfigs); - - wireguardInterfaces = builtins.foldl' (acc: set: acc // set) {} interfacePeers; + wireguardInterfaces = generateWireGuardInterface nodes; generateRoute = peerName: peerConfig: '' - # Static route to declare static wireguard peer inner tunnel ip (that has been thrown away to the "off" table) - ${pkgs.iproute2}/bin/ip route replace 172.19.${toString peerConfig.id}.0/24 dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link - ${pkgs.iproute2}/bin/ip -6 route replace fc00::${toString peerConfig.id}:0/112 dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link - - # Nodes self ip - ${pkgs.iproute2}/bin/ip route replace 172.19.0.${toString peerConfig.id}/32 dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link - ${pkgs.iproute2}/bin/ip -6 route replace fc00::${toString peerConfig.id}/128 dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link - # Return path for mgmt trafic ${if lib.elem peerName mapping.bastion then '' - ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString peerConfig.id}.${toString myId} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} - ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/112 via fc00::${toString peerConfig.id}:${toString myId} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} + ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString peerConfig.id}.${toString myId} dev mesh + ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/112 via fc00::${toString peerConfig.id}:${toString myId} dev mesh '' else ""} ''; - generateAfter = peerName: peerConfig: "wireguard-mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id}.target"; + generateAfter = peerName: peerConfig: "wireguard-mesh.target"; routes = lib.mapAttrsToList (name: peer: generateRoute name peer) peerConfigs; afters = lib.mapAttrsToList (name: peer: generateAfter name peer) peerConfigs;