From d6a068f95207d4e10c332f7d4ea656a19d40a389 Mon Sep 17 00:00:00 2001 From: Asyncnomi Date: Mon, 21 Jul 2025 02:34:47 +0200 Subject: [PATCH] we only need one if and n peer, not the other way around --- flake.nix | 3 ++- shared/commons/mesh.nix | 58 +++++++++++++++++++---------------------- 2 files changed, 29 insertions(+), 32 deletions(-) diff --git a/flake.nix b/flake.nix index e331c38..37217d6 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,7 @@ nodes = import ./nodes.nix; defaultModules = [ + agenix.nixosModules.default ./shared/users.nix ./shared/commons.nix ]; @@ -66,7 +67,7 @@ }) nodes; }; - # This is highly advised, and will prevent many possible mistakes + # This is highly advised, and will prevent many possible mistakes, just run "deploy -s" to bypass it checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; } \ No newline at end of file diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix index 488dcb9..6bceef5 100644 --- a/shared/commons/mesh.nix +++ b/shared/commons/mesh.nix @@ -11,45 +11,41 @@ let group = "root"; }; }; - generatedSecrets = lib.mapAttrsToList (name: node: generateSecret node.zone) nodes; + generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes; - generateWireGuardInterfaces = nodesConfig: let + generateWireGuardInterface = nodesConfig: let myPeer = nodesConfig."${config.hostName}"; myZone = myPeer.zone; myId = myPeer.id; - + # Filter itself out of the peer list peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodesConfig; - - # Build peers - interfacePeers = lib.flatten (lib.mapAttrsToList (peerName: peerConfig: let - # For now only IPv4 based tunnel are deployed - if4 = { - "wg-${peerName}" = { - ips = [ - "172.19.${toString myZone}.${toString myId}/16" - "fc00::${toString myZone}:${toString myId}/96" - ]; - privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path; - listenPort = 51820; - peers = [{ - name = "${peerName}-ip4"; - publicKey = peerConfig.wg-pub; - allowedIPs = [ - "172.19.0.0/16" - "fc00::/96" - ]; - endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820"; - persistentKeepalive = 25; - }]; - }; + + peers = lib.mapAttrsToList (peerName: peerConfig: { + name = "${peerName}"; + publicKey = peerConfig.wg-pub; + allowedIPs = [ + "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32" + "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128" + ]; + endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820"; + persistentKeepalive = 25; + }) peerConfigs; + + interface = { + "mesh" = { + ips = [ + "172.19.${toString myZone}.${toString myId}/16" + "fc00::${toString myZone}:${toString myId}/96" + ]; + privateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path; + listenPort = 51820; + peers = peers; }; + }; + in interface; - in if4) peerConfigs); - interfaces = builtins.foldl' (acc: set: acc // set) {} interfacePeers; - in interfaces; - - wireguardInterfaces = generateWireGuardInterfaces nodes; + wireguardInterfaces = generateWireGuardInterface nodes; in { age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets;