From b8ea365ca8eb801f8c8442f2f9ab439343ed8b8f Mon Sep 17 00:00:00 2001 From: azahi Date: Tue, 14 Jan 2025 13:27:50 +0300 Subject: 2025-01-14 --- modules/wireguard.nix | 130 +++++++++++++++++++++++++------------------------- 1 file changed, 65 insertions(+), 65 deletions(-) (limited to 'modules/wireguard.nix') diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 633ec5b..92497e1 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -6,17 +6,16 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.wireguard; - DNSSetup = optionalString config.services.resolved.enable ( + DNSSetup = lib.optionalString config.services.resolved.enable ( let resolvectl = "${config.systemd.package}/bin/resolvectl"; in '' ${resolvectl} dns ${cfg.interface} ${cfg.server.ipv6.address} ${cfg.server.ipv4.address} - ${resolvectl} domain ${cfg.interface} local ${my.domain.shire} + ${resolvectl} domain ${cfg.interface} local ${lib.my.domain.shire} ${resolvectl} dnssec ${cfg.interface} no ${resolvectl} dnsovertls ${cfg.interface} no '' @@ -46,83 +45,81 @@ in options.nixfiles.modules.wireguard = { client = { - enable = mkEnableOption "WireGuard client"; + enable = lib.mkEnableOption "WireGuard client"; - enableTrafficRouting = mkOption { + enableTrafficRouting = lib.mkOption { description = "Whether to enable traffic routing through the sever."; - type = with types; bool; + type = lib.types.bool; default = !this.isHeadless; }; }; server = { - enable = mkEnableOption "WireGuard server"; + enable = lib.mkEnableOption "WireGuard server"; - ipv4.address = mkOption { + ipv4.address = lib.mkOption { description = "IPv4 address to bind to."; - type = with types; str; - default = my.configurations.manwe.wireguard.ipv4.address; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.ipv4.address; }; - ipv6.address = mkOption { + ipv6.address = lib.mkOption { description = "IPv4 address to bind to."; - type = with types; str; - default = my.configurations.manwe.wireguard.ipv6.address; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.ipv6.address; }; - address = mkOption { + address = lib.mkOption { description = "Endpoint address to use"; - type = with types; str; - default = my.configurations.manwe.ipv4.address; + type = lib.types.str; + default = lib.my.configurations.manwe.ipv4.address; }; - port = mkOption { + port = lib.mkOption { description = "Endpoint port to use."; - type = with types; int; + type = lib.types.int; default = 6969; }; - publicKey = mkOption { + publicKey = lib.mkOption { description = "Server's public key."; - type = with types; str; - default = my.configurations.manwe.wireguard.publicKey; + type = lib.types.str; + default = lib.my.configurations.manwe.wireguard.publicKey; }; - peers = mkOption { + peers = lib.mkOption { description = "List of peers."; - type = with types; listOf attrs; + type = with lib.types; listOf attrs; default = - mapAttrsToList - ( - _: attr: with attr; { - inherit (wireguard) publicKey; - allowedIPs = with wireguard; [ - "${ipv6.address}/128" - "${ipv4.address}/32" - ]; - } - ) - ( - filterAttrs (_: attr: attr.hostname != this.hostname && hasAttr "wireguard" attr) my.configurations - ); + lib.my.configurations + |> lib.filterAttrs (_: v: v.hostname != this.hostname && lib.hasAttr "wireguard" v) + |> lib.mapAttrsToList ( + _: v: { + inherit (v.wireguard) publicKey; + allowedIPs = with v.wireguard; [ + "${ipv6.address}/128" + "${ipv4.address}/32" + ]; + } + ); }; }; - interface = mkOption { + interface = lib.mkOption { description = "Name of the interface to use WireGuard with."; - type = with types; str; + type = lib.types.str; default = "wg69"; }; - ipv4.subnet = mkOption { + ipv4.subnet = lib.mkOption { description = "CIDR notation for the IPv4 subnet to use over WireGuard."; - type = with types; str; + type = lib.types.str; default = "10.69.0.0/16"; }; - ipv6.subnet = mkOption { + ipv6.subnet = lib.mkOption { description = "CIDR notation for the IPv6 subnet to use over WireGuard."; - type = with types; str; + type = lib.types.str; default = "fd69::/16"; }; }; @@ -135,27 +132,27 @@ in message = "Sudo is not enabled."; } { - assertion = any (x: x == "wheel") config.my.extraGroups; + assertion = lib.any (x: x == "wheel") config.my.extraGroups; message = ''User is not in the "wheel" group.''; } ]; } - // mkMerge [ - (mkIf (cfg.client.enable || cfg.server.enable) { + // lib.mkMerge [ + (lib.mkIf (cfg.client.enable || cfg.server.enable) { secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; networking.firewall.trustedInterfaces = [ cfg.interface ]; - topology = with cfg; { - nodes.${this.hostname}.interfaces.${interface} = { - network = interface; + topology = { + nodes.${this.hostname}.interfaces.${cfg.interface} = { + network = cfg.interface; icon = "interfaces.wireguard"; }; }; }) - (mkIf cfg.client.enable { - networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ + (lib.mkIf cfg.client.enable { + networking.wg-quick.interfaces.${cfg.interface} = lib.mkMerge [ (with this.wireguard; { type = "amneziawg"; privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; @@ -169,7 +166,7 @@ in peers = [ { inherit publicKey; - endpoint = "${address}:${toString port}"; + endpoint = "${address}:${port |> toString}"; allowedIPs = if cfg.client.enableTrafficRouting then [ @@ -217,7 +214,7 @@ in }) ]; }) - (mkIf cfg.server.enable { + (lib.mkIf cfg.server.enable { networking = { wireguard = { enable = true; @@ -239,7 +236,7 @@ in enable = true; enableIPv6 = true; - externalInterface = mkDefault "eth0"; + externalInterface = lib.mkDefault "eth0"; internalInterfaces = [ cfg.interface ]; internalIPs = [ cfg.ipv4.subnet ]; @@ -251,24 +248,27 @@ in services.prometheus.exporters.wireguard = { enable = false; # TODO Doesn't work with amneziawg-tools. - listenAddress = mkDefault this.wireguard.ipv4.address; + listenAddress = lib.mkDefault this.wireguard.ipv4.address; withRemoteIp = true; port = 9586; }; - topology = with cfg; { - networks = { - ${interface} = { - name = interface; - cidrv4 = ipv4.subnet; - cidrv6 = ipv6.subnet; - icon = "interfaces.wireguard"; - }; + topology = { + networks.${cfg.interface} = { + name = cfg.interface; + cidrv4 = cfg.ipv4.subnet; + cidrv6 = cfg.ipv6.subnet; + icon = "interfaces.wireguard"; + style.pattern = "dotted"; }; - nodes.${this.hostname}.interfaces.${interface}.physicalConnections = mapAttrsToList ( - name: _: config.lib.topology.mkConnection name interface - ) (filterAttrs (n: v: !v.isOther && n != this.hostname && hasAttr "wireguard" v) my.configurations); + nodes.${this.hostname}.interfaces.${cfg.interface} = { + network = cfg.interface; + physicalConnections = + lib.my.configurations + |> lib.filterAttrs (n: v: !v.isOther && n != this.hostname && lib.hasAttr "wireguard" v) + |> lib.mapAttrsToList (n: _: config.lib.topology.mkConnection n cfg.interface); + }; }; }) ]; -- cgit 1.4.1