Fix bug in backplane-net module options
This commit is contained in:
parent
dfc4ef90c4
commit
6734f07711
1 changed files with 53 additions and 55 deletions
|
|
@ -6,13 +6,7 @@
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.qois.backplane-net;
|
cfg = config.qois.backplane-net;
|
||||||
hostName = config.networking.hostName;
|
|
||||||
netConfig = config.qois.meta.network.virtual.${cfg.netName};
|
|
||||||
hostNetConfig = netConfig.hosts.${hostName};
|
|
||||||
interface = "wg-${cfg.netName}";
|
|
||||||
wgService = [ "wireguard-${interface}.service" ];
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
options.qois.backplane-net = {
|
options.qois.backplane-net = {
|
||||||
enable = mkEnableOption "Enable backplane server services";
|
enable = mkEnableOption "Enable backplane server services";
|
||||||
|
|
@ -21,11 +15,6 @@ in
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "backplane";
|
default = "backplane";
|
||||||
};
|
};
|
||||||
domain = mkOption {
|
|
||||||
description = "Domain";
|
|
||||||
type = types.str;
|
|
||||||
default = hostNetConfig;
|
|
||||||
};
|
|
||||||
port = mkOption {
|
port = mkOption {
|
||||||
description = "Wireguard Default Port";
|
description = "Wireguard Default Port";
|
||||||
type = types.number;
|
type = types.number;
|
||||||
|
|
@ -33,50 +22,59 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = lib.mkIf cfg.enable (
|
||||||
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
|
let
|
||||||
|
hostName = config.networking.hostName;
|
||||||
|
netConfig = config.qois.meta.network.virtual.${cfg.netName};
|
||||||
|
hostNetConfig = netConfig.hosts.${hostName};
|
||||||
|
interface = "wg-${cfg.netName}";
|
||||||
|
wgService = [ "wireguard-${interface}.service" ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
|
||||||
|
|
||||||
networking.wireguard.enable = true;
|
networking.wireguard.enable = true;
|
||||||
networking.wireguard.interfaces."wg-${cfg.netName}" = {
|
networking.wireguard.interfaces."wg-${cfg.netName}" = {
|
||||||
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
|
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
|
||||||
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
|
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
|
||||||
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
|
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
|
||||||
generatePrivateKeyFile = true;
|
generatePrivateKeyFile = true;
|
||||||
};
|
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ interface ];
|
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts =
|
|
||||||
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
|
|
||||||
|
|
||||||
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
|
|
||||||
services.wgautomesh = {
|
|
||||||
enable = true;
|
|
||||||
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
|
|
||||||
openFirewall = true;
|
|
||||||
settings = {
|
|
||||||
inherit interface;
|
|
||||||
|
|
||||||
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
|
|
||||||
peers = pipe netConfig.hosts [
|
|
||||||
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
|
|
||||||
(mapAttrsToList (
|
|
||||||
_: peerConfig: {
|
|
||||||
address = peerConfig.v4.ip;
|
|
||||||
endpoint =
|
|
||||||
if (peerConfig.endpoint != null) then
|
|
||||||
with peerConfig.endpoint; "${fqdn}:${toString port}"
|
|
||||||
else
|
|
||||||
null;
|
|
||||||
pubkey = peerConfig.publicKey;
|
|
||||||
}
|
|
||||||
))
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
systemd.services.wgautomesh = {
|
systemd.network.wait-online.ignoredInterfaces = [ interface ];
|
||||||
requires = wgService;
|
|
||||||
after = wgService;
|
networking.firewall.allowedUDPPorts =
|
||||||
};
|
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
|
||||||
};
|
|
||||||
|
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
|
||||||
|
services.wgautomesh = {
|
||||||
|
enable = true;
|
||||||
|
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
|
||||||
|
openFirewall = true;
|
||||||
|
settings = {
|
||||||
|
inherit interface;
|
||||||
|
|
||||||
|
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
|
||||||
|
peers = pipe netConfig.hosts [
|
||||||
|
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
|
||||||
|
(mapAttrsToList (
|
||||||
|
_: peerConfig: {
|
||||||
|
address = peerConfig.v4.ip;
|
||||||
|
endpoint =
|
||||||
|
if (peerConfig.endpoint != null) then
|
||||||
|
with peerConfig.endpoint; "${fqdn}:${toString port}"
|
||||||
|
else
|
||||||
|
null;
|
||||||
|
pubkey = peerConfig.publicKey;
|
||||||
|
}
|
||||||
|
))
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.wgautomesh = {
|
||||||
|
requires = wgService;
|
||||||
|
after = wgService;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue