flake/modules/services/wgautomesh.nix

{
  config,
  pkgs,
  lib,
  cfg,
  ...
}: let
  prefix = "lyn";

  # decrypt gossip secret
  # change this to comply with you secret management
  gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;

  # function to make a peerlist suitable for wgautomesh
  buildPeerlist = version: hosts: let
    #filter out hosts that have wg.enabled set to false
    wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts;
    #filter out hosts that don't support IP{$version}
    filteredHosts = lib.filterAttrs (_: host: host.${version} != null) wgEnabledHosts;
  in
    lib.mapAttrsToList (name: host: {
      pubkey = host.wg.pubkey;
      #if there is no public IP, make endpoint null so wgautomesh knows it unknown
      endpoint =
        if host.${version}.public == ""
        then null
        else "${host.${version}.public}:${toString host.wg.port}";
      address = host.${version}.internal;
    })
    filteredHosts;

  # helper vars to prettify
  meshnetwork = config.${prefix}.network;
  currentHost = meshnetwork.hosts.${config.networking.hostName};
  wireguardPort = currentHost.wg.port;
in {
  opt.useIPv6 = lib.mkOption {
    type = lib.types.bool;
    description = "Whether to use IPv6. Defaults to true";
    default = true;
  };
  config = {
    networking.firewall = {
      allowedUDPPorts = [
        wireguardPort
      ];
      extraCommands = ''
        # Allow UDP packets comming from port 1900 from a local address,
        # these are necessary for UPnP/IGD
        iptables -A INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT
      '';
      extraStopCommands = ''
        iptables -D INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT
      '';
    };

    networking.wireguard.interfaces.wg0 = {
      ips =
        if cfg.useIPv6
        then ["${currentHost.IPv6}/64"]
        else ["${currentHost.IPv4}/24"];
      listenPort = wireguardPort;
      privateKeyFile = "/var/lib/wireguard-keys/private";
      mtu = 1200;
    };

    services.wgautomesh = {
      enable = true;
      settings = {
        interface = "wg0";
        peers =
          if cfg.useIPv6
          then buildPeerlist "IPv6" meshnetwork.hosts
          else buildPeerlist "IPv4" meshnetwork.hosts;
        upnp_forward_external_port = wireguardPort;
      };
      gossipSecretFile = gossip_secret_path;

      #DEBUG
      logLevel = "trace";
    };
  };
}
first draft of the automesh abstraction 2024-11-12 01:49:31 +01:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`cfg,`
			`...`
bring local vars into scope 2024-11-12 03:46:56 +01:00			`}: let`
changed prefix to lyn because that works too now; fixed network.nix defining config values inside the options scope 2024-11-13 20:27:18 +01:00			`prefix = "lyn";`
huh would this work? 2024-11-13 05:15:14 +01:00
added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module 2024-11-13 22:40:30 +01:00			`# decrypt gossip secret`
			`# change this to comply with you secret management`
			`gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;`

first attempt at porting over the peerlist to wgautomesh module to make it more dynamic 2024-11-13 18:43:06 +01:00			`# function to make a peerlist suitable for wgautomesh`
			`buildPeerlist = version: hosts: let`
			`#filter out hosts that have wg.enabled set to false`
			`wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts;`
			`#filter out hosts that don't support IP{$version}`
fixes 2024-11-13 23:17:28 +01:00			`filteredHosts = lib.filterAttrs (_: host: host.${version} != null) wgEnabledHosts;`
first attempt at porting over the peerlist to wgautomesh module to make it more dynamic 2024-11-13 18:43:06 +01:00			`in`
added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module 2024-11-13 22:40:30 +01:00			`lib.mapAttrsToList (name: host: {`
first attempt at porting over the peerlist to wgautomesh module to make it more dynamic 2024-11-13 18:43:06 +01:00			`pubkey = host.wg.pubkey;`
			`#if there is no public IP, make endpoint null so wgautomesh knows it unknown`
small fixes to peerlist -> endpoint generation 2024-11-14 01:32:43 +01:00			`endpoint =`
			`if host.${version}.public == ""`
			`then null`
			`else "${host.${version}.public}:${toString host.wg.port}";`
first attempt at porting over the peerlist to wgautomesh module to make it more dynamic 2024-11-13 18:43:06 +01:00			`address = host.${version}.internal;`
			`})`
			`filteredHosts;`

bring local vars into scope 2024-11-12 03:46:56 +01:00			`# helper vars to prettify`
huh would this work? 2024-11-13 05:15:14 +01:00			`meshnetwork = config.${prefix}.network;`
first attempt at porting over the peerlist to wgautomesh module to make it more dynamic 2024-11-13 18:43:06 +01:00			`currentHost = meshnetwork.hosts.${config.networking.hostName};`
bring local vars into scope 2024-11-12 03:46:56 +01:00			`wireguardPort = currentHost.wg.port;`
			`in {`
first draft of the automesh abstraction 2024-11-12 01:49:31 +01:00			`opt.useIPv6 = lib.mkOption {`
			`type = lib.types.bool;`
			`description = "Whether to use IPv6. Defaults to true";`
			`default = true;`
			`};`
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`config = {`
update firewall rules to allow upnp requests 2024-11-14 03:49:23 +01:00			`networking.firewall = {`
			`allowedUDPPorts = [`
			`wireguardPort`
			`];`
			`extraCommands = ''`
			`# Allow UDP packets comming from port 1900 from a local address,`
			`# these are necessary for UPnP/IGD`
			`iptables -A INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT`
			`'';`
			`extraStopCommands = ''`
			`iptables -D INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT`
			`'';`
			`};`
open wireguard port; keep mtu low 2024-11-14 01:48:38 +01:00
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`networking.wireguard.interfaces.wg0 = {`
			`ips =`
oops 2024-11-12 01:52:07 +01:00			`if cfg.useIPv6`
fixed wireguard \o/ 2024-11-20 21:39:42 +01:00			`then ["${currentHost.IPv6}/64"]`
			`else ["${currentHost.IPv4}/24"];`
uhh how did that get there? 2024-11-13 21:08:27 +01:00			`listenPort = wireguardPort;`
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`privateKeyFile = "/var/lib/wireguard-keys/private";`
open wireguard port; keep mtu low 2024-11-14 01:48:38 +01:00			`mtu = 1200;`
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`};`
small fixes to peerlist -> endpoint generation 2024-11-14 01:32:43 +01:00
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`services.wgautomesh = {`
			`enable = true;`
comments, wgautomesh wrapper fix and removed unncessary logic 2024-11-13 21:01:13 +01:00			`settings = {`
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`interface = "wg0";`
			`peers =`
			`if cfg.useIPv6`
fixed wireguard \o/ 2024-11-20 21:39:42 +01:00			`then buildPeerlist "IPv6" meshnetwork.hosts`
			`else buildPeerlist "IPv4" meshnetwork.hosts;`
fixed typos (this time fr) 2024-11-13 20:30:39 +01:00			`upnp_forward_external_port = wireguardPort;`
			`};`
added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module 2024-11-13 22:40:30 +01:00			`gossipSecretFile = gossip_secret_path;`
small fixes to peerlist -> endpoint generation 2024-11-14 01:32:43 +01:00
			`#DEBUG`
			`logLevel = "trace";`
first draft of the automesh abstraction 2024-11-12 01:49:31 +01:00			`};`
			`};`
			`}`