rebuild meshing

2025-07-21 22:49:14 +02:00 · 2025-07-21 22:49:14 +02:00 · c2ec3c672b
commit c2ec3c672b
parent 1ff6293bec
18 changed files with 90 additions and 55 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,21 @@
 # nix
 ## Onboarding:
 You will need at least nix installed on you machine
 ### Wireguard
 Add your publickeys into ./shared/users-wg.nix
 Create the following interfaces:
 bastion.mtz.lasuite.federez: nePNA6RDzgNeSC7deXqeoK2rGGei65tBNnCEN6ZKkEI=
-bastion.ren.lasuite.federez: tSnZQM0s1EaN2uvCgYP8xkLXt+NccBBPJj5UBzV3h2Y=
+bastion.ren.lasuite.federez: tSnZQM0s1EaN2uvCgYP8xkLXt+NccBBPJj5UBzV3h2Y=
 ### SSH
 Prov yourself in ./shared/users.nix
 ### Agenix
 Add you decryption key into ./secrets/secrets.nix
--- a/nodes.nix
+++ b/nodes.nix
@ -308,7 +308,7 @@
    bastion-ren-lasuite-federez = {
        zone = 2;
-        id = 1;
+        id = 14;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -331,7 +331,7 @@
    db-ren-lasuite-federez = {
        zone = 2;
-        id = 2;
+        id = 15;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -354,7 +354,7 @@
    dns-ren-lasuite-federez = {
        zone = 2;
-        id = 3;
+        id = 16;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -377,7 +377,7 @@
    docs-ren-lasuite-federez = {
        zone = 2;
-        id = 4;
+        id = 17;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -400,7 +400,7 @@
    meet-ren-lasuite-federez = {
        zone = 2;
-        id = 5;
+        id = 18;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -423,7 +423,7 @@
    gris-ren-lasuite-federez = {
        zone = 2;
-        id = 6;
+        id = 19;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -446,7 +446,7 @@
    mail-ren-lasuite-federez = {
        zone = 2;
-        id = 7;
+        id = 20;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -469,7 +469,7 @@
    garage-ren-lasuite-federez = {
        zone = 2;
-        id = 8;
+        id = 21;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -492,7 +492,7 @@
    livekit-ren-lasuite-federez = {
        zone = 2;
-        id = 9;
+        id = 22;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -515,7 +515,7 @@
    backup-ren-lasuite-federez = {
        zone = 2;
-        id = 10;
+        id = 23;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -538,7 +538,7 @@
    prom-ren-lasuite-federez = {
        zone = 2;
-        id = 11;
+        id = 24;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
@ -561,7 +561,7 @@
    auth-ren-lasuite-federez = {
        zone = 2;
-        id = 12;
+        id = 25;
        system = "x86_64-linux";
        ver = "25.05";
        modules = [
--- a/secrets/wireguard/wg-private-zone-2-id-14.age
+++ b/secrets/wireguard/wg-private-zone-2-id-14.age
--- a/secrets/wireguard/wg-private-zone-2-id-15.age
+++ b/secrets/wireguard/wg-private-zone-2-id-15.age
--- a/secrets/wireguard/wg-private-zone-2-id-16.age
+++ b/secrets/wireguard/wg-private-zone-2-id-16.age
--- a/secrets/wireguard/wg-private-zone-2-id-17.age
+++ b/secrets/wireguard/wg-private-zone-2-id-17.age
--- a/secrets/wireguard/wg-private-zone-2-id-18.age
+++ b/secrets/wireguard/wg-private-zone-2-id-18.age
--- a/secrets/wireguard/wg-private-zone-2-id-19.age
+++ b/secrets/wireguard/wg-private-zone-2-id-19.age
--- a/secrets/wireguard/wg-private-zone-2-id-20.age
+++ b/secrets/wireguard/wg-private-zone-2-id-20.age
--- a/secrets/wireguard/wg-private-zone-2-id-21.age
+++ b/secrets/wireguard/wg-private-zone-2-id-21.age
--- a/secrets/wireguard/wg-private-zone-2-id-22.age
+++ b/secrets/wireguard/wg-private-zone-2-id-22.age
--- a/secrets/wireguard/wg-private-zone-2-id-23.age
+++ b/secrets/wireguard/wg-private-zone-2-id-23.age
--- a/secrets/wireguard/wg-private-zone-2-id-24.age
+++ b/secrets/wireguard/wg-private-zone-2-id-24.age
--- a/secrets/wireguard/wg-private-zone-2-id-25.age
+++ b/secrets/wireguard/wg-private-zone-2-id-25.age
--- a/shared/bastion/nftables.nix
+++ b/shared/bastion/nftables.nix
@ -1,9 +1,9 @@
-{ ... }:
+{ lib, ... }:
 {
    networking = {
        nat.enable = false;
-        firewall.enable = false;
+        firewall.enable = lib.mkForce false;
        nftables = {
            enable = true;
            checkRuleset = true;
--- a/shared/bastion/wireguard.nix
+++ b/shared/bastion/wireguard.nix
@ -21,7 +21,7 @@ let
        name = "${peerConfig.name}";
        publicKey = peerConfig.publicKey;
        allowedIPs = [
-            "172.19..${toString (myZone + 127)}${toString peerConfig.id}/32"
+            "172.19.${toString (myZone + 127)}.${toString peerConfig.id}/32"
            "fc00:f::${toString (myZone + 127)}:${toString peerConfig.id}/128"
        ];
        persistentKeepalive = 25;
--- a/shared/commons/mesh.nix
+++ b/shared/commons/mesh.nix
@ -13,39 +13,48 @@ let
    };
    generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes;
-    generateWireGuardInterface = nodesConfig: let
+    generateWireGuardInterfaces = nodesConfig: let
        myPeer = nodesConfig."${config.hostName}";
        myZone = myPeer.zone;
        myId = myPeer.id;
-        
+    
        # Filter itself out of the peer list
-        peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig;
+        peerConfigs = lib.filterAttrs (_peerName: peerConfig: peerConfig.id != myId) nodesConfig;
-        
+    
-        peers = lib.mapAttrsToList (peerName: peerConfig: {
+        # We'll make one if per peer, this is more flexible
-            name = "${peerName}";
+        interfacePeers = lib.flatten (lib.mapAttrsToList (peerName: peerConfig: let
-            publicKey = peerConfig.wg-pub;
+            remoteId = peerConfig.id;
            allowedIPs = [
                "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
                "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
            ];
            endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820";
            persistentKeepalive = 25;
        }) peerConfigs;
        interface = {
            "mesh" = {
                ips = [
                    "172.19.${toString myZone}.${toString myId}/17"
                    "fc00::${toString myZone}:${toString myId}/96"
                ];
                privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
                listenPort = 51820;
                peers = peers;
            };
        };
    in interface;
-    wireguardInterfaces = generateWireGuardInterface nodes;
+            # The mesh is for now only IPv4 based
            if4 = {
                "mesh-${peerName}" = {
                    ips = [
                        "172.19.${toString remoteId}.${toString myId}/32"
                        "fc00::${toString remoteId}:${toString myId}/128"
                    ];
                    privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
                    listenPort = 51000 + remoteId;
                    peers = [{
                        name = "${peerName}-ip4";
                        publicKey = peerConfig.wg-pub;
                        allowedIPs = [
                            "172.19.${toString myId}.${toString remoteId}/32"
                            "fc00::${toString myId}:${toString remoteId}/128"
                            # Allow mgmt transport
                            "172.19.128.0/17"
                            "fc00:f::/96"
                        ];
                        persistentKeepalive = 25;
                    }];
                };
            };
        in if4) peerConfigs);
        interfaces = builtins.foldl' (acc: set: acc // set) {} interfacePeers;
    in interfaces;
    wireguardInterfaces = generateWireGuardInterfaces nodes;
 in
 {
    age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets;
@ -56,11 +65,14 @@ in
    # If custom systemd ordering is needed 
    # between wg interface and the rest of 
    # networking: switch to false here
    # Note: if you turn it off it will break
    # the custom routing for mgmt rt path
    # trafic handle by networkd, see networking.nix
    networking.wireguard.useNetworkd = true;
    # Return all WireGuard interfaces for each node
    networking.wireguard.interfaces = wireguardInterfaces;
    # Open UDP port for wireguard traffic
-    networking.firewall.allowedUDPPorts = [ 51820 ];
+    networking.firewall.allowedUDPPorts = lib.range 51000 52000;
 }
--- a/shared/commons/networking.nix
+++ b/shared/commons/networking.nix
@ -28,7 +28,6 @@ let
            Gateway = "fc00::${toString node.zone}:1"; 
            Destination = "fc00:f::${toString (node.zone + 127)}:0/96"; 
        }) (lib.attrValues (lib.filterAttrs (name: node: node.id == 1) nodes));
 in
 {
    networking.hostName = config.hostName;
@ -37,15 +36,22 @@ in
    networking.useNetworkd = true;
    networking.useDHCP = false;
    systemd.network = {
-        networks."10-wan" = {
+        networks = {
-            # match the interface by name
+            "10-wan" = {
-            matchConfig.Name = myNode.dev;
+                # match the interface by name
-            address = addr4 ++ addr6;
+                matchConfig.Name = myNode.dev;
-            routes = route4 ++ route6;
+                address = addr4 ++ addr6;
-            # DNS
+                routes = route4 ++ route6;
-            dns = [ "1.1.1.1" ];
+                # DNS
-            # make the routes on this interface a dependency for network-online.target
+                dns = [ "1.1.1.1" ];
-            linkConfig.RequiredForOnline = "routable";
+                # make the routes on this interface a dependency for network-online.target
                linkConfig.RequiredForOnline = "routable";
            };
            # This interface is generated by networkd backend for wireguard
            # See mesh.nix
            "mesh" = {
                routes = rtwg4 ++ rtwg6;
            };
        };
        config.addRouteTablesToIPRoute2 = true;