use proper options for the firewall & default to local build
This commit is contained in:
asyncnomi
parent
22f93f23ed
commit
f5241119eb
8 changed files with 171 additions and 109 deletions
|
|
@ -11,6 +11,8 @@ let
|
|||
# And mappings
|
||||
mapping = import ./../../mapping.nix;
|
||||
|
||||
meshPort = 51820;
|
||||
|
||||
buildSecret = zone: id: {
|
||||
"wg-private-zone-${toString zone}-id-${toString id}" = {
|
||||
file = ./../../secrets/wireguard + ( "/wg-private-zone-" + toString zone + "-id-" + toString id + ".age" );
|
||||
|
|
@ -32,13 +34,13 @@ let
|
|||
"172.19.${toString (peerConfig.zone + 127)}.0/24"
|
||||
"fc00:f::${toString (peerConfig.zone + 127)}:0/112"
|
||||
];
|
||||
Endpoint = "${lib.lists.head (lib.strings.splitString "/" peerConfig.ip4)}:51820";
|
||||
Endpoint = "${lib.lists.head (lib.strings.splitString "/" peerConfig.ip4)}:${toString meshPort}";
|
||||
PersistentKeepalive = 25;
|
||||
}) peerConfigs;
|
||||
|
||||
interfaceConfig = {
|
||||
PrivateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
|
||||
ListenPort = 51820;
|
||||
ListenPort = meshPort;
|
||||
};
|
||||
|
||||
# Return route for mgmt traffic
|
||||
|
|
@ -76,4 +78,6 @@ in
|
|||
routes = rtwg4 ++ rtwg6;
|
||||
};
|
||||
};
|
||||
|
||||
fwtables.allowedUDPPorts = [{ port = meshPort; public = true; }];
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue