2024-11-12 01:49:31 +01:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
cfg,
|
|
|
|
...
|
2024-11-12 03:46:56 +01:00
|
|
|
}: let
|
2024-11-30 01:50:21 +01:00
|
|
|
buildInputs = [pkgs.wgautomesh];
|
|
|
|
options.services.wgautomesh.settings.ipv6 = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
default = true;
|
|
|
|
description = "Whether to use IPv6 or IPv4.";
|
|
|
|
};
|
|
|
|
|
2024-11-13 20:27:18 +01:00
|
|
|
prefix = "lyn";
|
2024-11-13 05:15:14 +01:00
|
|
|
|
2024-11-13 22:40:30 +01:00
|
|
|
# decrypt gossip secret
|
|
|
|
# change this to comply with you secret management
|
|
|
|
gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
|
|
|
|
|
2024-11-13 18:43:06 +01:00
|
|
|
# function to make a peerlist suitable for wgautomesh
|
|
|
|
buildPeerlist = version: hosts: let
|
|
|
|
#filter out hosts that have wg.enabled set to false
|
|
|
|
wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts;
|
|
|
|
#filter out hosts that don't support IP{$version}
|
2024-11-13 23:17:28 +01:00
|
|
|
filteredHosts = lib.filterAttrs (_: host: host.${version} != null) wgEnabledHosts;
|
2024-11-13 18:43:06 +01:00
|
|
|
in
|
2024-11-13 22:40:30 +01:00
|
|
|
lib.mapAttrsToList (name: host: {
|
2024-11-13 18:43:06 +01:00
|
|
|
pubkey = host.wg.pubkey;
|
2024-11-30 01:50:21 +01:00
|
|
|
#if there is no public IP, make endpoint null so wgautomesh knows it unknown. Else format it to a SocketAddr
|
2024-11-14 01:32:43 +01:00
|
|
|
endpoint =
|
|
|
|
if host.${version}.public == ""
|
|
|
|
then null
|
2024-11-30 01:50:21 +01:00
|
|
|
else "${
|
|
|
|
if version == "IPv6"
|
|
|
|
then "[${host.${version}.public}]"
|
|
|
|
else host.${version}.public
|
|
|
|
}:${toString host.wg.port}";
|
2024-11-13 18:43:06 +01:00
|
|
|
address = host.${version}.internal;
|
|
|
|
})
|
|
|
|
filteredHosts;
|
|
|
|
|
2024-11-12 03:46:56 +01:00
|
|
|
# helper vars to prettify
|
2024-11-13 05:15:14 +01:00
|
|
|
meshnetwork = config.${prefix}.network;
|
2024-11-13 18:43:06 +01:00
|
|
|
currentHost = meshnetwork.hosts.${config.networking.hostName};
|
2024-11-12 03:46:56 +01:00
|
|
|
wireguardPort = currentHost.wg.port;
|
|
|
|
in {
|
2024-11-30 01:50:21 +01:00
|
|
|
opt = {
|
|
|
|
useIPv6 = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
description = "Whether to use IPv6. Defaults to true";
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
enable_upnp = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
description = "Whether to allow the wireguard port in the gateway using UPnP IGD. Necessary on some firewalls, might spam unnecessary debug messages on environments without IGD gateways.";
|
|
|
|
default = false;
|
|
|
|
};
|
2024-11-12 01:49:31 +01:00
|
|
|
};
|
2024-11-13 20:30:39 +01:00
|
|
|
config = {
|
2024-11-14 03:49:23 +01:00
|
|
|
networking.firewall = {
|
2024-11-30 01:50:21 +01:00
|
|
|
allowedUDPPorts =
|
|
|
|
[
|
|
|
|
wireguardPort
|
|
|
|
]
|
|
|
|
# UPnP broadcast responses
|
|
|
|
++ (
|
|
|
|
if cfg.enable_upnp
|
|
|
|
then [1900]
|
|
|
|
else []
|
|
|
|
);
|
2024-11-14 03:49:23 +01:00
|
|
|
};
|
2024-11-14 01:48:38 +01:00
|
|
|
|
2024-11-13 20:30:39 +01:00
|
|
|
networking.wireguard.interfaces.wg0 = {
|
|
|
|
ips =
|
2024-11-12 01:52:07 +01:00
|
|
|
if cfg.useIPv6
|
2024-11-20 21:39:42 +01:00
|
|
|
then ["${currentHost.IPv6.internal}/64"]
|
|
|
|
else ["${currentHost.IPv4.internal}/24"];
|
2024-11-13 21:08:27 +01:00
|
|
|
listenPort = wireguardPort;
|
2024-11-13 20:30:39 +01:00
|
|
|
privateKeyFile = "/var/lib/wireguard-keys/private";
|
2024-11-30 01:50:21 +01:00
|
|
|
mtu = 1280;
|
2024-11-13 20:30:39 +01:00
|
|
|
};
|
2024-11-14 01:32:43 +01:00
|
|
|
|
2024-11-13 20:30:39 +01:00
|
|
|
services.wgautomesh = {
|
|
|
|
enable = true;
|
2024-11-13 21:01:13 +01:00
|
|
|
settings = {
|
2024-11-13 20:30:39 +01:00
|
|
|
interface = "wg0";
|
|
|
|
peers =
|
|
|
|
if cfg.useIPv6
|
2024-11-20 21:39:42 +01:00
|
|
|
then buildPeerlist "IPv6" meshnetwork.hosts
|
|
|
|
else buildPeerlist "IPv4" meshnetwork.hosts;
|
2024-11-13 20:30:39 +01:00
|
|
|
upnp_forward_external_port = wireguardPort;
|
|
|
|
};
|
2024-11-13 22:40:30 +01:00
|
|
|
gossipSecretFile = gossip_secret_path;
|
2024-11-14 01:32:43 +01:00
|
|
|
|
|
|
|
#DEBUG
|
|
|
|
logLevel = "trace";
|
2024-11-12 01:49:31 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|