Simon Bruder
959f7be3d0
It adds a bit of latency (and is definitely not the best solution in theory), but finally allows dropping IPv6 NAT and it works within the constraits my home network has to live in.
121 lines
3.4 KiB
Nix
121 lines
3.4 KiB
Nix
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ lib, config, ... }:
|
|
let
|
|
serverHostName = "yuzuru";
|
|
serverPort = 51820;
|
|
peers = {
|
|
yuzuru = {
|
|
subnets = [ ];
|
|
publicKey = "mWm92aZybisoLtd11g4XqwUZvQGVxMfPW9/za3/1/0Y=";
|
|
};
|
|
shinobu = {
|
|
subnets = [ "2001:470:73b9::/56" ];
|
|
publicKey = "c8lnzMWFeTzQmXwNV0DlD2ROJqBcDL0F9WN5u4lVeFQ=";
|
|
};
|
|
};
|
|
|
|
cfg = config.sbruder.wireguard.he;
|
|
enableServer = config.networking.hostName == serverHostName;
|
|
in
|
|
{
|
|
options.sbruder.wireguard.he.enable = lib.mkEnableOption "WireGuard tunnel wg-he";
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets.wg-he-private-key = {
|
|
owner = config.users.users.systemd-network.name;
|
|
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
|
};
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
netdevs = {
|
|
wg-he = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg-he";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = config.sops.secrets.wg-he-private-key.path;
|
|
} // (lib.optionalAttrs enableServer {
|
|
ListenPort = serverPort;
|
|
});
|
|
wireguardPeers =
|
|
if enableServer
|
|
then
|
|
map
|
|
({ publicKey, subnets }: {
|
|
wireguardPeerConfig = {
|
|
PublicKey = publicKey;
|
|
AllowedIPs = subnets;
|
|
};
|
|
})
|
|
(lib.attrValues
|
|
(lib.filterAttrs
|
|
(n: v: n != config.networking.hostName)
|
|
peers))
|
|
else
|
|
lib.singleton {
|
|
wireguardPeerConfig = {
|
|
PublicKey = peers."${serverHostName}".publicKey;
|
|
AllowedIPs = "::/0";
|
|
Endpoint = "85.215.73.203:${toString serverPort}";
|
|
PersistentKeepalive = 25;
|
|
};
|
|
};
|
|
};
|
|
} // (lib.optionalAttrs enableServer {
|
|
he = {
|
|
netdevConfig = {
|
|
Name = "he";
|
|
Kind = "sit";
|
|
MTUBytes = "1480";
|
|
};
|
|
tunnelConfig = {
|
|
Remote = "216.66.80.30"; # tserv1.fra1.he.net
|
|
Local = "85.215.73.203";
|
|
TTL = 255;
|
|
};
|
|
};
|
|
});
|
|
networks = {
|
|
wg-he = {
|
|
name = "wg-he";
|
|
networkConfig = lib.optionalAttrs enableServer {
|
|
IPForward = "ipv6";
|
|
};
|
|
routes = lib.singleton {
|
|
routeConfig.Destination = "2001:470:73b9::/48";
|
|
};
|
|
};
|
|
} // (lib.optionalAttrs enableServer {
|
|
he = {
|
|
name = "he";
|
|
address = lib.singleton "2001:470:1f0a:5db::2/64";
|
|
gateway = lib.singleton "2001:470:1f0a:5db::1";
|
|
routingPolicyRules = lib.singleton {
|
|
routingPolicyRuleConfig = {
|
|
From = "2001:470:73b9::/48";
|
|
Table = "0x73b9";
|
|
};
|
|
};
|
|
routes = lib.singleton {
|
|
routeConfig = {
|
|
Gateway = "2001:470:1f0a:5db::1";
|
|
Table = "0x73b9";
|
|
};
|
|
};
|
|
};
|
|
# FIXME interface name is hardcoded
|
|
eth0 = {
|
|
networkConfig.Tunnel = "he";
|
|
};
|
|
});
|
|
};
|
|
|
|
networking.firewall.allowedUDPPorts = lib.optional enableServer serverPort;
|
|
};
|
|
}
|