diff options
author | tv <tv@krebsco.de> | 2023-02-02 16:29:23 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2023-02-02 16:33:29 +0100 |
commit | 25b5811664f358e0441d5c153028ab1696c3c725 (patch) | |
tree | e300739d7274ae6bdc4a0b984af4a71b4e88ff2d | |
parent | e5d334ea76fc3d4c680ed900299e5c07247cd498 (diff) |
tv wiregrill: init
-rw-r--r-- | tv/2configs/wiregrill.nix | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix new file mode 100644 index 0000000..d28a1ec --- /dev/null +++ b/tv/2configs/wiregrill.nix @@ -0,0 +1,37 @@ +with import ./lib; +{ config, pkgs, ... }: let + cfg = { + enable = cfg.net != null; + net = config.krebs.build.host.nets.wiregrill or null; + }; + toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}"; +in + mkIf cfg.enable { + networking.wireguard.interfaces.wiregrill = { + ips = + optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++ + optional (cfg.net.ip6 != null) cfg.net.ip6.addr; + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = host.nets.wiregrill.wireguard.subnets; + endpoint = + mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = mkIf (host.nets.wiregrill.via != null) 61; + publicKey = + replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; + systemd.network.networks.wiregrill = { + matchConfig.Name = "wiregrill"; + address = + optional (!isNull cfg.net.ip4) (toCidrNotation cfg.net.ip4) ++ + optional (!isNull cfg.net.ip6) (toCidrNotation cfg.net.ip6); + }; + tv.iptables.extra.filter.INPUT = [ + "-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT" + ]; + } |