wireguard/home: Switch to systemd-networkd

This commit is contained in:
Simon Bruder 2023-04-07 14:14:31 +02:00
parent 642d97cb52
commit 4d93272cb0
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -1,6 +1,7 @@
{ lib, config, machines, pkgs, ... }: { lib, config, machines, pkgs, ... }:
let let
serverHostName = "vueko"; serverHostName = "vueko";
serverPort = 51820;
peers = { peers = {
hitagi = { hitagi = {
address = "10.80.0.5"; address = "10.80.0.5";
@ -45,50 +46,71 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets.wg-home-private-key = { sops.secrets.wg-home-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
}; };
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address; sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
networking.wireguard.interfaces.wg-home = { systemd.network = {
privateKeyFile = config.sops.secrets.wg-home-private-key.path; enable = true;
ips = [ "${cfg.address}/24" ]; netdevs = {
listenPort = if enableServer then 51820 else null; wg-home = {
peers = netdevConfig = {
if enableServer Kind = "wireguard";
then Name = "wg-home";
map };
(peerConfig: with peerConfig; { wireguardConfig = {
allowedIPs = [ "${address}/32" ]; PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
inherit publicKey; } // (lib.optionalAttrs enableServer {
}) ListenPort = serverPort;
(lib.attrValues });
(lib.filterAttrs wireguardPeers =
(n: v: n != config.networking.hostName) if enableServer
peers)) then
else [ map
{ (peerConfig: with peerConfig; {
allowedIPs = [ "10.80.0.0/24" ]; wireguardPeerConfig = {
publicKey = peers."${serverHostName}".publicKey; PublicKey = publicKey;
#endpoint = "${serverHostName}.sbruder.de:51820"; # not possible because sadly not all devices have IPv6 connectivity AllowedIPs = [ "${address}/32" ];
endpoint = "195.201.139.15:51820"; };
persistentKeepalive = 25; })
} (lib.attrValues
]; (lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{
wireguardPeerConfig = {
PublicKey = peers."${serverHostName}".publicKey;
AllowedIPs = [ "10.80.0.0/24" ];
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
Endpoint = "195.201.139.15:${toString serverPort}";
PersistentKeepalive = 25;
};
}
];
};
};
networks = {
wg-home = {
name = "wg-home";
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
networkConfig = lib.optionalAttrs enableServer {
IPForward = "ipv4";
};
};
};
}; };
networking.firewall = { networking.firewall = {
trustedInterfaces = [ "wg-home" ]; trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optionals enableServer [ allowedUDPPorts = lib.optionals enableServer [
51820 serverPort
53 53
]; ];
}; };
boot.kernel.sysctl = lib.optionalAttrs enableServer {
"net.ipv4.ip_forward" = lib.mkOverride 999 1;
};
services.bind = lib.mkIf enableServer { services.bind = lib.mkIf enableServer {
enable = true; enable = true;
zones = lib.singleton { zones = lib.singleton {