Refactore backplane-net to module with hosts

2024-12-09 16:20:35 +02:00 · 2024-12-09 16:20:35 +02:00 · 408c24559d
commit 408c24559d
parent 752bed060b
15 changed files with 144 additions and 79 deletions
--- a/nixos-modules/qois/backplane-net.hosts/default.nix
+++ b/nixos-modules/qois/backplane-net.hosts/default.nix
@ -0,0 +1,42 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.backplane-net.hosts;
+  defaultDomains = attrNames config.qois.loadbalancer.domains;
+  defaultLoadbalancers = [ "lindberg" ];
+in
+{
+
+  options.qois.backplane-net.hosts = {
+    enable = mkOption {
+      default = true;
+      description = "Whether to enable hosts aliases for loadbalanced services. This prevents turnarounds over external networks for these services.";
+      type = types.bool;
+    };
+
+    domains = mkOption {
+      description = "Domains that are hosted by the backplane loadbalancer";
+      type = with types; listOf str;
+      default = defaultDomains;
+    };
+    loadbalancers = mkOption {
+      description = "List of Loadbalancer hostnames as listed in the backplane network";
+      type = with types; listOf str;
+      default = defaultLoadbalancers;
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    networking.hosts = pipe cfg.loadbalancers [
+      (map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip))
+      (flip genAttrs (lb: cfg.domains))
+    ];
+
+  };
+}
--- a/nixos-modules/qois/backplane-net/README.md
+++ b/nixos-modules/qois/backplane-net/README.md
@ -0,0 +1,5 @@
+## Backplane Overlay Network
+
+The `backplane.net.qo.is` overlay network connects all the hosts in a peer-to-peer fashion using [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh).
+
+The definition of the connected hosts are in [defaults/meta/network-virtual.nix](../meta/network-virtual.nix).
--- a/nixos-modules/qois/backplane-net/default.nix
+++ b/nixos-modules/qois/backplane-net/default.nix
@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.backplane-net;
+  hostName = config.networking.hostName;
+  netConfig = config.qois.meta.network.virtual.${cfg.netName};
+  hostNetConfig = netConfig.hosts.${hostName};
+  interface = "wg-${cfg.netName}";
+  wgService = [ "wireguard-${interface}.service" ];
+in
+
+{
+  options.qois.backplane-net = {
+    enable = mkEnableOption "Enable backplane server services";
+    netName = mkOption {
+      description = "Network Name";
+      type = types.str;
+      default = "backplane";
+    };
+    domain = mkOption {
+      description = "Domain";
+      type = types.str;
+      default = hostNetConfig;
+    };
+    port = mkOption {
+      description = "Wireguard Default Port";
+      type = types.number;
+      default = 51825;
+    };
+  };
+
+  config = {
+    sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
+
+    networking.wireguard.enable = true;
+    networking.wireguard.interfaces."wg-${cfg.netName}" = {
+      ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
+      listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
+      privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
+      generatePrivateKeyFile = true;
+    };
+
+    systemd.network.wait-online.ignoredInterfaces = [ interface ];
+
+    networking.firewall.allowedUDPPorts =
+      if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
+
+    # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
+    services.wgautomesh = {
+      enable = true;
+      gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
+      openFirewall = true;
+      settings = {
+        inherit interface;
+
+        # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
+        peers = pipe netConfig.hosts [
+          (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
+          (mapAttrsToList (
+            _: peerConfig: {
+              address = peerConfig.v4.ip;
+              endpoint =
+                if (peerConfig.endpoint != null) then
+                  with peerConfig.endpoint; "${fqdn}:${toString port}"
+                else
+                  null;
+              pubkey = peerConfig.publicKey;
+            }
+          ))
+        ];
+      };
+    };
+    systemd.services.wgautomesh = {
+      requires = wgService;
+      after = wgService;
+    };
+  };
+}
--- a/nixos-modules/qois/vpn-server/default.nix
+++ b/nixos-modules/qois/vpn-server/default.nix
@ -58,7 +58,7 @@ in
      let
        vnet = config.qois.meta.network.virtual;
        vpnNet = vnet.vpn;
-        vpnNetPrefix = "${vpnNet.v4.id}/${builtins.toString vpnNet.v4.prefixLength}";
+        vpnNetPrefix = "${vpnNet.v4.id}/${toString vpnNet.v4.prefixLength}";
        backplaneNetPrefix = "${vnet.backplane.v4.id}/${builtins.toString vnet.backplane.v4.prefixLength}";
      in
      {