83 lines
No EOL
2.9 KiB
Nix
83 lines
No EOL
2.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
# Import nodes
|
|
nodes = import ./../../nodes.nix;
|
|
myName = config.hostName;
|
|
myPeer = nodes."${myName}";
|
|
myId = myPeer.id;
|
|
myZone = myPeer.zone;
|
|
|
|
# And mappings
|
|
mapping = import ./../../mapping.nix;
|
|
|
|
meshPort = 51820;
|
|
|
|
buildSecret = zone: id: {
|
|
"wg-private-zone-${toString zone}-id-${toString id}" = {
|
|
file = ./../../secrets/wireguard + ( "/wg-private-zone-" + toString zone + "-id-" + toString id + ".age" );
|
|
owner = "systemd-network";
|
|
group = "systemd-network";
|
|
};
|
|
};
|
|
generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes;
|
|
|
|
# Filter itself out of the peer list
|
|
peerConfigs = lib.filterAttrs (peerName: _peerConfig: peerName != myName) nodes;
|
|
|
|
interfacePeers = lib.mapAttrsToList (peerName: peerConfig: {
|
|
PublicKey = peerConfig.wg-pub;
|
|
AllowedIPs = [
|
|
"172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
|
|
"fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
|
|
] ++ lib.optionals (lib.elem peerName mapping.bastion.hosts) [
|
|
"172.19.${toString (peerConfig.zone + 127)}.0/24"
|
|
"fc00:f::${toString (peerConfig.zone + 127)}:0/112"
|
|
];
|
|
Endpoint = "${lib.lists.head (lib.strings.splitString "/" peerConfig.ip4)}:${toString meshPort}";
|
|
PersistentKeepalive = 25;
|
|
}) peerConfigs;
|
|
|
|
interfaceConfig = {
|
|
PrivateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
|
|
ListenPort = meshPort;
|
|
};
|
|
|
|
# Return route for mgmt traffic
|
|
bastionConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.bastion.hosts) peerConfigs;
|
|
|
|
rtwg4 = map (node: {
|
|
Gateway = "172.19.${toString node.zone}.${toString node.id}";
|
|
Destination = "172.19.${toString (node.zone + 127)}.0/24";
|
|
}) (lib.attrValues bastionConfigs);
|
|
|
|
rtwg6 = map (node: {
|
|
Gateway = "fc00::${toString node.zone}:${toString node.id}";
|
|
Destination = "fc00:f::${toString (node.zone + 127)}:0/112";
|
|
}) (lib.attrValues bastionConfigs);
|
|
in
|
|
{
|
|
age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets;
|
|
|
|
# Build Mesh interface
|
|
systemd.network = {
|
|
netdevs."mesh" = {
|
|
netdevConfig = {
|
|
Name = "mesh";
|
|
Kind = "wireguard";
|
|
};
|
|
wireguardConfig = interfaceConfig;
|
|
wireguardPeers = interfacePeers;
|
|
};
|
|
networks."mesh" = {
|
|
matchConfig.Name = "mesh";
|
|
address = [
|
|
"172.19.${toString myZone}.${toString myId}/17"
|
|
"fc00::${toString myZone}:${toString myId}/96"
|
|
];
|
|
routes = rtwg4 ++ rtwg6;
|
|
};
|
|
};
|
|
|
|
fwtables.allowedUDPPorts = [{ port = meshPort; public = true; }];
|
|
} |