qo.is/infrastructure
1
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Activity Actions
infrastructure/defaults/backplane-net/default.nix

65 lines
2 KiB
Nix
Raw Blame History

{
pkgs,
lib,
config,
...
}:
let
hostName = config.networking.hostName;
netName = "backplane";
netConfig = config.qois.meta.network.virtual.${netName};
hostNetConfig = netConfig.hosts.${hostName};
wgDefaultPort = 51825;
in
{
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort;
privateKeyFile = "/secrets/wireguard/private/${netName}";
generatePrivateKeyFile = true;
};
systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
logLevel = "info";
settings = {
interface = "wg-${netName}";
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers =
let
reachableHosts = lib.filterAttrs (
peerHostName: peerConfig: peerHostName != hostName # Not this host
) netConfig.hosts;
in
lib.mapAttrsToList (_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if peerConfig.endpoint != null then
with peerConfig.endpoint; "${fqdn}:${builtins.toString port}"
else
null;
pubkey = peerConfig.publicKey;
}) reachableHosts;
};
};
systemd.services.wgautomesh =
let
wgInterface = [ "wireguard-wg-backplane.service" ];
in
{
requires = wgInterface;
after = wgInterface;
};
}
Reference in a new issue View git blame Copy permalink