summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2023-02-02 16:29:23 +0100
committertv <tv@krebsco.de>2023-02-02 16:33:29 +0100
commiteb39234ba8375d7274d70af678175ffe88109cb3 (patch)
tree5137da70bac44561a282da19d49735a8c127a1a6
parent38d0a0a5be8e472c60c3745df9f34aadc51514dd (diff)
tv wiregrill: init
-rw-r--r--tv/2configs/wiregrill.nix37
1 files changed, 37 insertions, 0 deletions
diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix
new file mode 100644
index 000000000..d28a1ec29
--- /dev/null
+++ b/tv/2configs/wiregrill.nix
@@ -0,0 +1,37 @@
+with import ./lib;
+{ config, pkgs, ... }: let
+ cfg = {
+ enable = cfg.net != null;
+ net = config.krebs.build.host.nets.wiregrill or null;
+ };
+ toCidrNotation = ip: "${ip.addr}/${toString ip.prefixLength}";
+in
+ mkIf cfg.enable {
+ networking.wireguard.interfaces.wiregrill = {
+ ips =
+ optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
+ optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+ allowedIPsAsRoutes = true;
+ peers = mapAttrsToList
+ (_: host: {
+ allowedIPs = host.nets.wiregrill.wireguard.subnets;
+ endpoint =
+ mkIf (host.nets.wiregrill.via != null) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
+ persistentKeepalive = mkIf (host.nets.wiregrill.via != null) 61;
+ publicKey =
+ replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey;
+ })
+ (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
+ };
+ systemd.network.networks.wiregrill = {
+ matchConfig.Name = "wiregrill";
+ address =
+ optional (!isNull cfg.net.ip4) (toCidrNotation cfg.net.ip4) ++
+ optional (!isNull cfg.net.ip6) (toCidrNotation cfg.net.ip6);
+ };
+ tv.iptables.extra.filter.INPUT = [
+ "-p udp --dport ${toString cfg.net.wireguard.port} -j ACCEPT"
+ ];
+ }