rebuild meshing
This commit is contained in:
parent
1ff6293bec
commit
c2ec3c672b
18 changed files with 90 additions and 55 deletions
|
|
@ -1,9 +1,9 @@
|
|||
{ ... }:
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
nat.enable = false;
|
||||
firewall.enable = false;
|
||||
firewall.enable = lib.mkForce false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
checkRuleset = true;
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ let
|
|||
name = "${peerConfig.name}";
|
||||
publicKey = peerConfig.publicKey;
|
||||
allowedIPs = [
|
||||
"172.19..${toString (myZone + 127)}${toString peerConfig.id}/32"
|
||||
"172.19.${toString (myZone + 127)}.${toString peerConfig.id}/32"
|
||||
"fc00:f::${toString (myZone + 127)}:${toString peerConfig.id}/128"
|
||||
];
|
||||
persistentKeepalive = 25;
|
||||
|
|
|
|||
|
|
@ -13,39 +13,48 @@ let
|
|||
};
|
||||
generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes;
|
||||
|
||||
generateWireGuardInterface = nodesConfig: let
|
||||
generateWireGuardInterfaces = nodesConfig: let
|
||||
myPeer = nodesConfig."${config.hostName}";
|
||||
myZone = myPeer.zone;
|
||||
myId = myPeer.id;
|
||||
|
||||
|
||||
# Filter itself out of the peer list
|
||||
peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig;
|
||||
|
||||
peers = lib.mapAttrsToList (peerName: peerConfig: {
|
||||
name = "${peerName}";
|
||||
publicKey = peerConfig.wg-pub;
|
||||
allowedIPs = [
|
||||
"172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
|
||||
"fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
|
||||
];
|
||||
endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820";
|
||||
persistentKeepalive = 25;
|
||||
}) peerConfigs;
|
||||
|
||||
interface = {
|
||||
"mesh" = {
|
||||
ips = [
|
||||
"172.19.${toString myZone}.${toString myId}/17"
|
||||
"fc00::${toString myZone}:${toString myId}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
|
||||
listenPort = 51820;
|
||||
peers = peers;
|
||||
};
|
||||
};
|
||||
in interface;
|
||||
peerConfigs = lib.filterAttrs (_peerName: peerConfig: peerConfig.id != myId) nodesConfig;
|
||||
|
||||
# We'll make one if per peer, this is more flexible
|
||||
interfacePeers = lib.flatten (lib.mapAttrsToList (peerName: peerConfig: let
|
||||
remoteId = peerConfig.id;
|
||||
|
||||
wireguardInterfaces = generateWireGuardInterface nodes;
|
||||
# The mesh is for now only IPv4 based
|
||||
if4 = {
|
||||
"mesh-${peerName}" = {
|
||||
ips = [
|
||||
"172.19.${toString remoteId}.${toString myId}/32"
|
||||
"fc00::${toString remoteId}:${toString myId}/128"
|
||||
];
|
||||
privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
|
||||
listenPort = 51000 + remoteId;
|
||||
peers = [{
|
||||
name = "${peerName}-ip4";
|
||||
publicKey = peerConfig.wg-pub;
|
||||
allowedIPs = [
|
||||
"172.19.${toString myId}.${toString remoteId}/32"
|
||||
"fc00::${toString myId}:${toString remoteId}/128"
|
||||
# Allow mgmt transport
|
||||
"172.19.128.0/17"
|
||||
"fc00:f::/96"
|
||||
];
|
||||
persistentKeepalive = 25;
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
in if4) peerConfigs);
|
||||
|
||||
interfaces = builtins.foldl' (acc: set: acc // set) {} interfacePeers;
|
||||
in interfaces;
|
||||
|
||||
wireguardInterfaces = generateWireGuardInterfaces nodes;
|
||||
in
|
||||
{
|
||||
age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets;
|
||||
|
|
@ -56,11 +65,14 @@ in
|
|||
# If custom systemd ordering is needed
|
||||
# between wg interface and the rest of
|
||||
# networking: switch to false here
|
||||
# Note: if you turn it off it will break
|
||||
# the custom routing for mgmt rt path
|
||||
# trafic handle by networkd, see networking.nix
|
||||
networking.wireguard.useNetworkd = true;
|
||||
|
||||
# Return all WireGuard interfaces for each node
|
||||
networking.wireguard.interfaces = wireguardInterfaces;
|
||||
|
||||
# Open UDP port for wireguard traffic
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
networking.firewall.allowedUDPPorts = lib.range 51000 52000;
|
||||
}
|
||||
|
|
@ -28,7 +28,6 @@ let
|
|||
Gateway = "fc00::${toString node.zone}:1";
|
||||
Destination = "fc00:f::${toString (node.zone + 127)}:0/96";
|
||||
}) (lib.attrValues (lib.filterAttrs (name: node: node.id == 1) nodes));
|
||||
|
||||
in
|
||||
{
|
||||
networking.hostName = config.hostName;
|
||||
|
|
@ -37,15 +36,22 @@ in
|
|||
networking.useNetworkd = true;
|
||||
networking.useDHCP = false;
|
||||
systemd.network = {
|
||||
networks."10-wan" = {
|
||||
# match the interface by name
|
||||
matchConfig.Name = myNode.dev;
|
||||
address = addr4 ++ addr6;
|
||||
routes = route4 ++ route6;
|
||||
# DNS
|
||||
dns = [ "1.1.1.1" ];
|
||||
# make the routes on this interface a dependency for network-online.target
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
networks = {
|
||||
"10-wan" = {
|
||||
# match the interface by name
|
||||
matchConfig.Name = myNode.dev;
|
||||
address = addr4 ++ addr6;
|
||||
routes = route4 ++ route6;
|
||||
# DNS
|
||||
dns = [ "1.1.1.1" ];
|
||||
# make the routes on this interface a dependency for network-online.target
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
# This interface is generated by networkd backend for wireguard
|
||||
# See mesh.nix
|
||||
"mesh" = {
|
||||
routes = rtwg4 ++ rtwg6;
|
||||
};
|
||||
};
|
||||
|
||||
config.addRouteTablesToIPRoute2 = true;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue