lbailly/config-perso
1
0
Fork 0
Code Pull requests Projects Releases Packages Activity

feat(meta/vpn): internal routing

Browse source
This commit is contained in:
catvayor 2025-01-07 11:27:06 +01:00
parent 8b89374afa
commit eabd9ad19c
Signed by: lbailly
GPG key ID: CE3E645251AC63F3
6 changed files with 107 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
hive.nix
View file

@ -1,14 +1,15 @@
let
mods = import ./modules;
users = import ./users;
sources = import ./npins;
pkgs = import sources.nixpkgs-unstable { };
inherit (pkgs) lib;
inherit (lib)
mapAttrs
mapAttrs'
filterAttrs
mapAttrsToList
removeSuffix
evalModules
flatten
;
nodes = mapAttrs' (name: _: {
@ -28,21 +29,53 @@ let
meta = meta'.config // {
machines = mapAttrs (_: node: node.node_meta) meta'.config.machines;
};
meta-lib = self: rec {
self-meta = meta.machines.${self};
other-meta = filterAttrs (name: _: name != self) meta.machines;
mkPeers =
let
hubs = filterAttrs (_: node: node.vpn-hub) other-meta;
non-hubs = filterAttrs (_: node: node.wg-key != null && !node.vpn-hub) other-meta;
all-subnets =
[ "10.42.0.0/16" ] ++ flatten
(map (mapAttrsToList (_: node: node.subnets)) [
hubs
non-hubs
]);
in
if self-meta.vpn-hub then
mapAttrsToList (_: node: {
AllowedIPs = [
"${node.vpn-ip4}/32"
] ++ node.subnets;
PublicKey = node.wg-key;
}) non-hubs
else
mapAttrsToList (_: node: {
AllowedIPs = all-subnets;
PublicKey = node.wg-key;
Endpoint = "${node.fqdn}:1194";
PersistentKeepalive = 25;
}) hubs;
};
in
{
meta = {
nixpkgs = pkgs.path;
specialArgs = {
inherit
mods
users
sources
meta
;
inherit sources;
mods = import ./modules;
users = import ./users;
kat-path = ./kat;
};
nodeNixpkgs = mapAttrs (_: node: node.nixpkgs-paths.nixpkgs-src) meta.machines;
nodeSpecialArgs = mapAttrs (_: node: { self-meta = node; }) meta.machines;
nodeSpecialArgs = mapAttrs (name: node: {
self-meta = node;
meta = meta // {
lib = meta-lib name;
};
}) meta.machines;
};
defaults =
{

22
kat/meta.nix
View file

@ -6,18 +6,19 @@
}:
let
inherit (lib)
mkOption
concatStringsSep
mkOption
;
inherit (lib.types)
attrsOf
listOf
submodule
bool
enum
path
unspecified
listOf
nullOr
path
str
submodule
unspecified
;
machine_meta =
@ -48,6 +49,16 @@ let
type = nullOr str;
default = null;
};
vpn-hub = mkOption {
type = bool;
default = false;
description = ''
Peering with a hub should give access to all subnets,
while hubs are the only points with multiple peers.
Non hub peers with all hub, and vice-versa.
TODO: multiple hubs ?
'';
};
subnets = mkOption {
type = listOf str;
default = [ ];
@ -67,6 +78,7 @@ let
version
wg-key
vpn-ip4
vpn-hub
subnets
fqdn
;

13
machines/kat-manah/configuration.nix
View file

@ -86,18 +86,11 @@
};
wireguardConfig = {
PrivateKeyFile = "/etc/wg/private.key";
RouteTable = "main";
RouteMetric = 2000;
};
wireguardPeers = [
{
Endpoint = "${meta.machines.kat-watcher.fqdn}:1194";
AllowedIPs = [
"10.42.0.2/32"
];
PersistentKeepalive = 20;
PublicKey = meta.machines.kat-watcher.wg-key;
}
];
wireguardPeers = meta.lib.mkPeers;
};
"50-virbr0" = {
netdevConfig = {

66
machines/kat-probook/configuration.nix
View file

@ -65,10 +65,15 @@ in
"50-wg0" = {
name = "wg0";
address = [
"10.10.10.13/24"
"10.42.1.1/16"
];
};
"50-wg1" = {
name = "wg1";
address = [
"10.10.10.13/24"
];
};
"10-enp2s0" = {
name = "enp2s0";
DHCP = "ipv4";
@ -78,31 +83,42 @@ in
ipv6AcceptRAConfig.RouteMetric = 500;
};
};
netdevs."50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig.PrivateKeyFile = "/wg/private.key";
netdevs = {
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/wg/private.key";
RouteTable = "main";
RouteMetric = 2000;
};
wireguardPeers = [
{
AllowedIPs = [
"10.10.10.0/24"
];
PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=";
Endpoint = "129.199.129.76:1194";
PersistentKeepalive = 25;
}
{
AllowedIPs = [
"10.42.0.0/16"
];
PublicKey = meta.machines.kat-watcher.wg-key;
Endpoint = "${meta.machines.kat-watcher.fqdn}:1194";
PersistentKeepalive = 25;
}
];
wireguardPeers = meta.lib.mkPeers;
};
"50-wg1" = {
netdevConfig = {
Name = "wg1";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/wg/private.key";
RouteTable = "main";
RouteMetric = 2000;
};
wireguardPeers = [
{
AllowedIPs = [
"10.10.10.0/24"
];
PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=";
Endpoint = "129.199.129.76:1194";
PersistentKeepalive = 25;
}
];
};
};
};

26
machines/kat-watcher/configuration.nix
View file

@ -29,15 +29,6 @@
firewall.allowedUDPPorts = [ 1194 ];
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.42.0.0/16 masquerade
}
'';
};
};
};
systemd.network = {
@ -74,22 +65,11 @@
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = "/etc/wg/private.key";
RouteTable = "main";
RouteMetric = 2000;
};
wireguardPeers = [
{
AllowedIPs = [
"10.42.0.1/32"
];
PublicKey = meta.machines.kat-manah.wg-key;
}
{
AllowedIPs = [
"10.42.1.1/32"
];
PublicKey = meta.machines.kat-probook.wg-key;
}
];
wireguardPeers = meta.lib.mkPeers;
};
};
};

1
machines/kat-watcher/default.nix
View file

@ -4,6 +4,7 @@
wg-key = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
fqdn = "watcher.katvayor.net";
vpn-ip4 = "10.42.0.2";
vpn-hub = true;
};
config = import ./configuration.nix;
}