depot/cluster/services/wireguard/mesh.nix

33 lines
841 B
Nix
Raw Permalink Normal View History

2022-08-03 23:53:45 +03:00
{ cluster, config, ... }:
let
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.mesh;
2022-08-03 23:53:45 +03:00
mkPeer = peerName: let
peerLink = cluster.config.hostLinks.${peerName}.mesh;
2022-08-03 23:53:45 +03:00
in {
publicKey = peerLink.extra.pubKey;
allowedIPs = [ "${peerLink.extra.meshIp}/32" ] ++ peerLink.extra.extraRoutes;
2022-08-03 23:53:45 +03:00
endpoint = peerLink.tuple;
};
in
{
networking = {
firewall = {
trustedInterfaces = [ "wgmesh" ];
2022-08-03 23:53:45 +03:00
allowedUDPPorts = [ link.port ];
};
wireguard = {
enable = true;
interfaces.wgmesh = {
ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port;
privateKeyFile = cluster.config.services.wireguard.secrets.meshPrivateKey.path;
2023-08-31 01:55:45 +03:00
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
2022-08-03 23:53:45 +03:00
};
};
};
}