From 4ffd5aebd5839ce22e8a2398341133cfdd08d40b Mon Sep 17 00:00:00 2001 From: chn Date: Sun, 17 Dec 2023 12:10:45 +0800 Subject: [PATCH] move wireguard peer config to top level --- flake.nix | 43 ++++++++++++++++++++++++++++++---- modules/services/wireguard.nix | 42 +++++++-------------------------- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/flake.nix b/flake.nix index 2af49a18..e00afd2b 100644 --- a/flake.nix +++ b/flake.nix @@ -191,7 +191,13 @@ smartd.enable = true; misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe"; beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; }; - wireguard = { enable = true; peers = [ "vps6" ]; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; + wireguardIp = "192.168.83.3"; + }; }; bugs = [ @@ -263,7 +269,15 @@ httpua.enable = true; mirism.enable = true; fail2ban.enable = true; - wireguard = { enable = true; peers = [ "pc" "nas" "vps7" ]; }; + wireguard = + { + enable = true; + peers = [ "pc" "nas" "vps7" ]; + publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4="; + wireguardIp = "192.168.83.1"; + externalIp = "74.211.99.69"; + lighthouse = true; + }; }; }; vps7 = @@ -326,7 +340,14 @@ gitlab.enable = true; grafana.enable = true; fail2ban.enable = true; - wireguard = { enable = true; peers = [ "vps6" ]; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk="; + wireguardIp = "192.168.83.2"; + externalIp = "95.111.228.40"; + }; }; }; nas = @@ -415,7 +436,13 @@ stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; }; }; nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; }; - wireguard = { enable = true; peers = [ "vps6" ]; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; + wireguardIp = "192.168.83.4"; + }; }; users.users = [ "chn" "xll" "zem" "yjq" "yxy" ]; }; @@ -558,7 +585,13 @@ acme = { enable = true; cert."debug.mirism.one" = {}; }; smartd.enable = true; beesd = { enable = true; instances.root = { device = "/nix/persistent"; hashTableSizeMB = 2048; }; }; - wireguard = { enable = true; peers = [ "vps6" ]; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; + wireguardIp = "192.168.83.5"; + }; }; bugs = [ "xmunet" "firefox" ]; }; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index cd1989a9..80a8c2f5 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -4,36 +4,11 @@ inputs: { enable = mkOption { type = types.bool; default = false; }; peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; }; - _peer = mkOption - { - type = types.attrsOf (types.submodule { options = - { - publicKey = mkOption { type = types.nonEmptyStr; }; - wireguardIp = mkOption { type = types.nonEmptyStr; }; - externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; - lighthouse = mkOption { type = types.bool; default = false; }; - };}); - readOnly = true; - default = # wg genkey | wg pubkey - { - vps6 = - { - publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4="; - wireguardIp = "192.168.83.1"; - externalIp = "74.211.99.69"; - lighthouse = true; - }; - vps7 = - { - publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk="; - wireguardIp = "192.168.83.2"; - externalIp = "95.111.228.40"; - }; - pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; }; - nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; }; - xmupc1 = { publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; wireguardIp = "192.168.83.5"; }; - }; - }; + # wg genkey | wg pubkey + publicKey = mkOption { type = types.nonEmptyStr; }; + wireguardIp = mkOption { type = types.nonEmptyStr; }; + externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; + lighthouse = mkOption { type = types.bool; default = false; }; }; config = let @@ -44,7 +19,6 @@ inputs: { networking = let - self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; # if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820 port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0); in @@ -52,7 +26,7 @@ inputs: firewall = { allowedUDPPorts = [ port ]; trustedInterfaces = [ "wireguard" ]; }; wireguard.interfaces.wireguard = { - ips = [ "${self.wireguardIp}/24" ]; + ips = [ "${wireguard.wireguardIp}/24" ]; listenPort = port; privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path; peers = map @@ -63,7 +37,9 @@ inputs: endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820"; persistentKeepalive = 3; }) - (map (peer: wireguard._peer.${peer}) wireguard.peers); + (map + (peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard) + wireguard.peers); }; }; sops.secrets."wireguard/privateKey" = {};