From 0c4f3acb281be6290c55a6e96bc29fab5b5c7a11 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 11 Sep 2023 18:24:28 +0200
Subject: stockholm -> hrm

---
 configs/wiregrill.nix | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 configs/wiregrill.nix

(limited to 'configs/wiregrill.nix')

diff --git a/configs/wiregrill.nix b/configs/wiregrill.nix
new file mode 100644
index 0000000..55bb6f5
--- /dev/null
+++ b/configs/wiregrill.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }: let
+  cfg = {
+    enable = cfg.net != null;
+    net = config.krebs.build.host.nets.wiregrill or null;
+  };
+  toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
+in
+  lib.mkIf cfg.enable {
+    networking.wireguard.interfaces.wiregrill = {
+      ips =
+        lib.optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
+        lib.optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
+      listenPort = 51820;
+      privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
+      allowedIPsAsRoutes = true;
+      peers = lib.mapAttrsToList
+        (_: host: {
+          allowedIPs = host.nets.wiregrill.wireguard.subnets;
+          endpoint =
+            lib.mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
+          persistentKeepalive = lib.mkIf (host.nets.wiregrill.via != null) 61;
+          publicKey =
+            lib.replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
+        })
+        (lib.filterAttrs (_: h: lib.hasAttr "wiregrill" h.nets) config.krebs.hosts);
+    };
+    systemd.network.networks.wiregrill = {
+      matchConfig.Name = "wiregrill";
+      address =
+        lib.optional (cfg.net.ip4 != null) (toCidrNotation cfg.net.ip4) ++
+        lib.optional (cfg.net.ip6 != null) (toCidrNotation cfg.net.ip6);
+    };
+    tv.iptables.extra.filter.INPUT = [
+      "-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
+    ];
+  }
-- 
cgit v1.2.3