simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Revert "wireguard/home: Use peer-to-peer connections if possible"

Browse source 
This reverts commit bab6c5e5dc.
This commit is contained in:
Simon Bruder 2021-10-05 21:31:41 +02:00
parent 7a08083af1
commit 31cec022e8
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
1 changed files with 19 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
modules/wireguard/home.nix
View file

@ -5,33 +5,27 @@ let
nunotaba = { nunotaba = {
address = "10.80.0.4"; address = "10.80.0.4";
publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw="; publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
public = false;
}; };
sayuri = { sayuri = {
address = "10.80.0.5"; address = "10.80.0.5";
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE="; publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
public = false;
}; };
vueko = { vueko = {
address = "10.80.0.6"; address = "10.80.0.6";
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns="; publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
public = false;
}; };
fuuko = { fuuko = {
address = "10.80.0.7"; address = "10.80.0.7";
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M="; publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
public = true;
}; };
mayushii = { mayushii = {
address = "10.80.0.9"; address = "10.80.0.9";
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg="; publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
public = false;
}; };
}; };
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;
enableServer = config.networking.hostName == serverHostName; enableServer = config.networking.hostName == serverHostName;
isPublic = peers.${config.networking.hostName}.public; # publicly reachable
in in
{ {
options = { options = {
@ -55,31 +49,35 @@ in
networking.wireguard.interfaces.wg-home = { networking.wireguard.interfaces.wg-home = {
privateKeyFile = config.sops.secrets.wg-home-private-key.path; privateKeyFile = config.sops.secrets.wg-home-private-key.path;
ips = [ "${cfg.address}/24" ]; ips = [ "${cfg.address}/24" ];
listenPort = if enableServer || isPublic then 51820 else null; listenPort = if enableServer then 51820 else null;
peers = peers =
# fallback/central server for clients that are not publicly reachable if enableServer
lib.optional (!enableServer) then
map
(peerConfig: with peerConfig; {
allowedIPs = [ "${address}/32" ];
inherit publicKey;
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{ {
allowedIPs = [ "10.80.0.0/24" ]; allowedIPs = [ "10.80.0.0/24" ];
publicKey = peers."${serverHostName}".publicKey; publicKey = peers."${serverHostName}".publicKey;
endpoint = "${serverHostName}.sbruder.de:51820"; endpoint = "${serverHostName}.sbruder.de:51820";
persistentKeepalive = 25; persistentKeepalive = 25;
} ++ (lib.mapAttrsToList }
(hostname: peerConfig: with peerConfig; { ];
allowedIPs = [ "${address}/32" ];
inherit publicKey;
} // (lib.optionalAttrs (public && !enableServer) {
endpoint = "${hostname}.sbruder.de:51820";
}))
(lib.filterAttrs
(n: v: n != config.networking.hostName && (enableServer || v.public))
peers));
}; };
networking.firewall = { networking.firewall = {
trustedInterfaces = [ "wg-home" ]; trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optional (isPublic || enableServer) 51820 allowedUDPPorts = lib.optionals enableServer [
++ lib.optional enableServer 53; 51820
53
];
}; };
boot.kernel.sysctl = lib.optionalAttrs enableServer { boot.kernel.sysctl = lib.optionalAttrs enableServer {