32 lines
841 B
Nix
32 lines
841 B
Nix
{ cluster, config, ... }:
|
|
let
|
|
inherit (config.networking) hostName;
|
|
|
|
link = cluster.config.hostLinks.${hostName}.mesh;
|
|
|
|
mkPeer = peerName: let
|
|
peerLink = cluster.config.hostLinks.${peerName}.mesh;
|
|
in {
|
|
publicKey = peerLink.extra.pubKey;
|
|
allowedIPs = [ "${peerLink.extra.meshIp}/32" ] ++ peerLink.extra.extraRoutes;
|
|
endpoint = peerLink.tuple;
|
|
};
|
|
in
|
|
{
|
|
networking = {
|
|
firewall = {
|
|
trustedInterfaces = [ "wgmesh" ];
|
|
allowedUDPPorts = [ link.port ];
|
|
};
|
|
|
|
wireguard = {
|
|
enable = true;
|
|
interfaces.wgmesh = {
|
|
ips = [ "${link.extra.meshIp}/24" ];
|
|
listenPort = link.port;
|
|
privateKeyFile = cluster.config.services.wireguard.secrets.meshPrivateKey.path;
|
|
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
|
|
};
|
|
};
|
|
};
|
|
}
|