diff --git a/flake.lock b/flake.lock index 7d3e473..d8f2ab7 100644 --- a/flake.lock +++ b/flake.lock @@ -58,24 +58,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" @@ -96,14 +78,14 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -159,27 +141,6 @@ "type": "github" } }, - "lynpkgs": { - "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_2", - "pkgs-by-name-for-flake-parts": "pkgs-by-name-for-flake-parts", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1732934040, - "narHash": "sha256-3QuAM3OP8SbZyz1bXKajHBRQGW8sMXZ3vJDLV6MQCRg=", - "owner": "lynatic1337", - "repo": "lynpkgs", - "rev": "1bad540c69e36520fcab64b99cf7a1907e2c0f73", - "type": "github" - }, - "original": { - "owner": "lynatic1337", - "repo": "lynpkgs", - "type": "github" - } - }, "microvm": { "inputs": { "flake-utils": "flake-utils_2", @@ -189,11 +150,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1732633513, - "narHash": "sha256-6LmtOmeDpv9iHS8l0GNcppP11dKIJFMZLdFyxQ+qQBM=", + "lastModified": 1736637237, + "narHash": "sha256-kZELEfQDEbCljZUpmIw0G0tNNdcJlnLvc6bwKQ++Okw=", "owner": "astro", "repo": "microvm.nix", - "rev": "093ef734d3c37669860043a87dbf1c09fc6f5b38", + "rev": "6f7e4a7bfcdce1c703f9cb89ae9d634167b720b8", "type": "github" }, "original": { @@ -218,18 +179,6 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1710695816, @@ -248,11 +197,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1732521221, - "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=", + "lastModified": 1736798957, + "narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d", + "rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3", "type": "github" }, "original": { @@ -264,27 +213,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1732521221, - "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1732749044, - "narHash": "sha256-T38FQOg0BV5M8FN1712fovzNakSOENEYs+CSkg31C9Y=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0c5b4ecbed5b155b705336aa96d878e55acd8685", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -294,7 +227,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1731763621, "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", @@ -310,21 +243,6 @@ "type": "github" } }, - "pkgs-by-name-for-flake-parts": { - "locked": { - "lastModified": 1727519927, - "narHash": "sha256-3SNX6BuaisoX9PKYI+fh3geZ3jBgKKkAtHcWuHRU0+o=", - "owner": "drupol", - "repo": "pkgs-by-name-for-flake-parts", - "rev": "91debb07d81ff25b8e3b48914b6abd6f11dc26e2", - "type": "github" - }, - "original": { - "owner": "drupol", - "repo": "pkgs-by-name-for-flake-parts", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -355,9 +273,8 @@ "root": { "inputs": { "lanzaboote": "lanzaboote", - "lynpkgs": "lynpkgs", "microvm": "microvm", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } @@ -389,14 +306,14 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1732575825, - "narHash": "sha256-xtt95+c7OUMoqZf4OvA/7AemiH3aVuWHQbErYQoPwFk=", + "lastModified": 1736808430, + "narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3433ea14fbd9e6671d0ff0dd45ed15ee4c156ffa", + "rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8", "type": "github" }, "original": { @@ -408,11 +325,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1729945407, - "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=", + "lastModified": 1733308308, + "narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=", "ref": "refs/heads/main", - "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa", - "revCount": 764, + "rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2", + "revCount": 792, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -450,21 +367,6 @@ "repo": "default", "type": "github" } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 815801c..643c1cf 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; sops-nix.url = "github:Mic92/sops-nix"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - lynpkgs.url = "github:lynatic1337/lynpkgs"; }; outputs = { self, @@ -16,7 +15,6 @@ sops-nix, lanzaboote, microvm, - lynpkgs, } @ inputs: let imports = { imports = [ @@ -26,8 +24,12 @@ lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host ./hosts/network.nix + ./meta/wgautomesh ]; }; + overlays = { + default = import ./pkgs/overlay.nix; + }; passInputs = { lib, config, @@ -41,15 +43,10 @@ config.pkgsInstances = { unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;}; }; + config.nixpkgs.overlays = lib.attrValues overlays; }; inherit (nixpkgs) lib; - pkgs = import nixpkgs { - overlays = [ - lynpkgs.overlays.default - ]; - }; - mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;}; mkLocalModsInput = mkLocalMods { prefix = ["lyn"]; diff --git a/hosts/network.nix b/hosts/network.nix index f60dcb1..c051103 100644 --- a/hosts/network.nix +++ b/hosts/network.nix @@ -11,7 +11,6 @@ wg = { enabled = true; pubkey = "Fknzk7lltkPKJZlF3KXWKGQXXSj7CUD9ev0ZEZtpbjY="; - port = 51820; }; IPv4 = { public = "78.47.226.47"; @@ -28,15 +27,12 @@ wg = { enabled = true; pubkey = "jdfbOnP0mFWFobtQunm0h6EtqOZiar9G9jngMU7b+Co="; - port = 51820; }; IPv4 = { - public = ""; # we use 10.35.0.0/16 as a range for private subnets, specifically 10.35.0.0/24 for wireguard peers internal = "10.35.0.2"; }; IPv6 = { - public = ""; # 1aacabcafe is the global ID and 1337 is the wireguard peer subnet ID, resulting in the ULA fd1a:acab:cafe:1337::/64 internal = "fd1a:acab:cafe:1337:6722:3657::"; }; @@ -62,11 +58,16 @@ in { default = null; description = "Public key for WireGuard"; }; - port = lib.mkOption { + port_v4 = lib.mkOption { type = lib.types.int; default = 51820; description = "Port for WireGuard"; }; + port_v6 = lib.mkOption { + type = lib.types.int; + default = 51821; + description = "Port for WireGuard"; + }; }; }; description = "WireGuard configuration"; @@ -75,8 +76,8 @@ in { type = lib.types.submodule { options = { public = lib.mkOption { - type = lib.types.str; - default = ""; + type = lib.types.nullOr lib.types.str; + default = null; description = "Public IPv4 address"; }; internal = lib.mkOption { @@ -92,8 +93,8 @@ in { type = lib.types.submodule { options = { public = lib.mkOption { - type = lib.types.str; - default = ""; + type = lib.types.nullOr lib.types.str; + default = null; description = "Public IPv6 address"; }; internal = lib.mkOption { diff --git a/hosts/supernova/default.nix b/hosts/supernova/default.nix index b325566..7e7555d 100644 --- a/hosts/supernova/default.nix +++ b/hosts/supernova/default.nix @@ -26,7 +26,7 @@ with config.lyn.lib; { lyn.services.wgautomesh = { enable = true; - #useIPv6 = false; + enable_upnp = true; }; ##1##3##3##7## diff --git a/hosts/wg-gateway/default.nix b/hosts/wg-gateway/default.nix index 4555be0..167b231 100644 --- a/hosts/wg-gateway/default.nix +++ b/hosts/wg-gateway/default.nix @@ -20,7 +20,6 @@ lyn.services.wgautomesh = { enable = true; - #useIPv6 = false; }; networking.useDHCP = false; diff --git a/meta/wgautomesh.nix b/meta/wgautomesh/default.nix similarity index 76% rename from meta/wgautomesh.nix rename to meta/wgautomesh/default.nix index c9ca7b3..eeb36d5 100644 --- a/meta/wgautomesh.nix +++ b/meta/wgautomesh/default.nix @@ -13,16 +13,31 @@ with lib; let settingsFormat.generate "wgautomesh-config.toml" (filterAttrs (k: v: v != null) (mapAttrs - (k: v: - if k == "peers" - then map (e: filterAttrs (k: v: v != null) e) v - else v) + ( + k: v: + if k == "peers" + then + map (e: + if e != null + then e + else null) + v + else if k == "interfaces" + then + map (e: + if e != null + then e + else null) + v + else v + ) cfg.settings)); runtimeConfigFile = if cfg.enableGossipEncryption then "/run/wgautomesh/wgautomesh.toml" else configFile; in { + disabledModules = ["services/networking/wgautomesh.nix"]; options.services.wgautomesh = { enable = mkEnableOption "the wgautomesh daemon"; logLevel = mkOption { @@ -58,15 +73,6 @@ in { type = types.submodule { freeformType = settingsFormat.type; options = { - interface = mkOption { - type = types.str; - description = '' - Wireguard interface to manage (it is NOT created by wgautomesh, you - should use another NixOS option to create it such as - `networking.wireguard.interfaces.wg0 = {...};`). - ''; - example = "wg0"; - }; gossip_port = mkOption { type = types.port; description = '' @@ -80,18 +86,24 @@ in { default = true; description = "Enable discovery of peers on the same LAN using UDP broadcast."; }; - ipv6 = mkOption { - type = types.bool; - default = true; - description = "Whether to use IPv6 or IPv4."; - }; - upnp_forward_external_port = mkOption { - type = types.nullOr types.port; - default = null; - description = '' - Public port number to try to redirect to this machine's Wireguard - daemon using UPnP IGD. - ''; + interfaces = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.str; + }; + upnp_forward_external_port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Public port number to try to redirect to this machine's Wireguard + daemon using UPnP IGD. For IPv6 only interfaces the value is discarded, to enable please set it to any valid port number. + ''; + }; + }; + }); + default = []; + description = "wgautomesh interface settings."; }; peers = mkOption { type = types.listOf (types.submodule { @@ -100,6 +112,13 @@ in { type = types.str; description = "Wireguard public key of this peer."; }; + interface = mkOption { + type = types.str; + }; + port = mkOption { + type = types.nullOr types.port; + example = 51820; + }; address = mkOption { type = types.str; description = '' @@ -115,7 +134,7 @@ in { other address is known or none are working. ''; default = null; - example = "wgnode.mydomain.example:51820"; + example = "wgnode.mydomain.example"; }; }; }); diff --git a/modules/services/wgautomesh.nix b/modules/services/wgautomesh.nix index 5ce5a85..1bb3c55 100644 --- a/modules/services/wgautomesh.nix +++ b/modules/services/wgautomesh.nix @@ -6,11 +6,6 @@ ... }: let buildInputs = [pkgs.wgautomesh]; - options.services.wgautomesh.settings.ipv6 = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Whether to use IPv6 or IPv4."; - }; prefix = "lyn"; @@ -22,46 +17,40 @@ buildPeerlist = version: hosts: let #filter out hosts that have wg.enabled set to false wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts; - #filter out hosts that don't support IP{$version} - filteredHosts = lib.filterAttrs (_: host: host.${version} != null) wgEnabledHosts; in lib.mapAttrsToList (name: host: { + interface = + if version == "IPv6" + then "wg1" + else "wg0"; pubkey = host.wg.pubkey; #if there is no public IP, make endpoint null so wgautomesh knows it unknown. Else format it to a SocketAddr - endpoint = - if host.${version}.public == "" - then null - else "${ - if version == "IPv6" - then "[${host.${version}.public}]" - else host.${version}.public - }:${toString host.wg.port}"; + endpoint = host.${version}.public; + port = + if version == "IPv6" + then host.wg.port_v6 + else host.wg.port_v4; address = host.${version}.internal; }) - filteredHosts; + wgEnabledHosts; # helper vars to prettify meshnetwork = config.${prefix}.network; currentHost = meshnetwork.hosts.${config.networking.hostName}; - wireguardPort = currentHost.wg.port; in { opt = { - useIPv6 = lib.mkOption { - type = lib.types.bool; - description = "Whether to use IPv6. Defaults to true"; - default = true; - }; enable_upnp = lib.mkOption { type = lib.types.bool; description = "Whether to allow the wireguard port in the gateway using UPnP IGD. Necessary on some firewalls, might spam unnecessary debug messages on environments without IGD gateways."; default = false; }; }; - config = { + config = rec { networking.firewall = { allowedUDPPorts = [ - wireguardPort + currentHost.wg.port_v4 + currentHost.wg.port_v6 ] # UPnP broadcast responses ++ ( @@ -72,11 +61,14 @@ in { }; networking.wireguard.interfaces.wg0 = { - ips = - if cfg.useIPv6 - then ["${currentHost.IPv6.internal}/64"] - else ["${currentHost.IPv4.internal}/24"]; - listenPort = wireguardPort; + ips = ["${currentHost.IPv4.internal}/24"]; + listenPort = currentHost.wg.port_v4; + privateKeyFile = "/var/lib/wireguard-keys/private"; + mtu = 1280; + }; + networking.wireguard.interfaces.wg1 = { + ips = ["${currentHost.IPv6.internal}/64"]; + listenPort = currentHost.wg.port_v6; privateKeyFile = "/var/lib/wireguard-keys/private"; mtu = 1280; }; @@ -84,12 +76,20 @@ in { services.wgautomesh = { enable = true; settings = { - interface = "wg0"; - peers = - if cfg.useIPv6 - then buildPeerlist "IPv6" meshnetwork.hosts - else buildPeerlist "IPv4" meshnetwork.hosts; - upnp_forward_external_port = wireguardPort; + interfaces = + if cfg.enable_upnp + then [ + { + name = "wg0"; + upnp_forward_external_port = config.networking.wireguard.interfaces.wg0.listenPort; + } + { + name = "wg1"; + upnp_forward_external_port = config.networking.wireguard.interfaces.wg1.listenPort; + } + ] + else null; + peers = buildPeerlist "IPv6" meshnetwork.hosts ++ buildPeerlist "IPv4" meshnetwork.hosts; }; gossipSecretFile = gossip_secret_path; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix new file mode 100644 index 0000000..cfee0de --- /dev/null +++ b/pkgs/overlay.nix @@ -0,0 +1,14 @@ +final: prev: { + wgautomesh = prev.wgautomesh.overrideAttrs (old: rec { + src = prev.fetchFromGitHub { + owner = "lynatic1337"; + repo = "wgautomesh"; + rev = "53b7a6b6edc144fc0d9679ed5c756530f9883374"; + }; + cargoDeps = final.rustPlatform.fetchCargoTarball { + inherit src; + # TODO + hash = "sha256-uKn2jvdM7TLy62v3Yub/TDqNwYSOXqRnV5J+2prLEQA="; + }; + }); +}