diff options
author | tv <tv@krebsco.de> | 2023-09-11 18:24:28 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2023-09-13 18:07:11 +0200 |
commit | 0c4f3acb281be6290c55a6e96bc29fab5b5c7a11 (patch) | |
tree | dadaec00477a095273475ac345b2066b4748c399 /configs/wiregrill.nix | |
parent | ab1d0479e90f11806d4703ec6fffed3d5f782914 (diff) |
stockholm -> hrm
Diffstat (limited to 'configs/wiregrill.nix')
-rw-r--r-- | configs/wiregrill.nix | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/configs/wiregrill.nix b/configs/wiregrill.nix new file mode 100644 index 0000000..55bb6f5 --- /dev/null +++ b/configs/wiregrill.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: let + cfg = { + enable = cfg.net != null; + net = config.krebs.build.host.nets.wiregrill or null; + }; + toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}"; +in + lib.mkIf cfg.enable { + networking.wireguard.interfaces.wiregrill = { + ips = + lib.optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++ + lib.optional (cfg.net.ip6 != null) cfg.net.ip6.addr; + listenPort = 51820; + privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key"; + allowedIPsAsRoutes = true; + peers = lib.mapAttrsToList + (_: host: { + allowedIPs = host.nets.wiregrill.wireguard.subnets; + endpoint = + lib.mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); + persistentKeepalive = lib.mkIf (host.nets.wiregrill.via != null) 61; + publicKey = + lib.replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey; + }) + (lib.filterAttrs (_: h: lib.hasAttr "wiregrill" h.nets) config.krebs.hosts); + }; + systemd.network.networks.wiregrill = { + matchConfig.Name = "wiregrill"; + address = + lib.optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++ + lib.optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6); + }; + tv.iptables.extra.filter.INPUT = [ + "-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT" + ]; + } |