mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 06:18:52 +08:00
move wireguard peer config to top level
This commit is contained in:
parent
8724c23fde
commit
4ffd5aebd5
43
flake.nix
43
flake.nix
@ -191,7 +191,13 @@
|
||||
smartd.enable = true;
|
||||
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
|
||||
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
peers = [ "vps6" ];
|
||||
publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
|
||||
wireguardIp = "192.168.83.3";
|
||||
};
|
||||
};
|
||||
bugs =
|
||||
[
|
||||
@ -263,7 +269,15 @@
|
||||
httpua.enable = true;
|
||||
mirism.enable = true;
|
||||
fail2ban.enable = true;
|
||||
wireguard = { enable = true; peers = [ "pc" "nas" "vps7" ]; };
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
peers = [ "pc" "nas" "vps7" ];
|
||||
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
|
||||
wireguardIp = "192.168.83.1";
|
||||
externalIp = "74.211.99.69";
|
||||
lighthouse = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
vps7 =
|
||||
@ -326,7 +340,14 @@
|
||||
gitlab.enable = true;
|
||||
grafana.enable = true;
|
||||
fail2ban.enable = true;
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
peers = [ "vps6" ];
|
||||
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
|
||||
wireguardIp = "192.168.83.2";
|
||||
externalIp = "95.111.228.40";
|
||||
};
|
||||
};
|
||||
};
|
||||
nas =
|
||||
@ -415,7 +436,13 @@
|
||||
stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
|
||||
};
|
||||
nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
peers = [ "vps6" ];
|
||||
publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
|
||||
wireguardIp = "192.168.83.4";
|
||||
};
|
||||
};
|
||||
users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
};
|
||||
@ -558,7 +585,13 @@
|
||||
acme = { enable = true; cert."debug.mirism.one" = {}; };
|
||||
smartd.enable = true;
|
||||
beesd = { enable = true; instances.root = { device = "/nix/persistent"; hashTableSizeMB = 2048; }; };
|
||||
wireguard = { enable = true; peers = [ "vps6" ]; };
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
peers = [ "vps6" ];
|
||||
publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
|
||||
wireguardIp = "192.168.83.5";
|
||||
};
|
||||
};
|
||||
bugs = [ "xmunet" "firefox" ];
|
||||
};
|
||||
|
@ -4,36 +4,11 @@ inputs:
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
|
||||
_peer = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
publicKey = mkOption { type = types.nonEmptyStr; };
|
||||
wireguardIp = mkOption { type = types.nonEmptyStr; };
|
||||
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
lighthouse = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
readOnly = true;
|
||||
default = # wg genkey | wg pubkey
|
||||
{
|
||||
vps6 =
|
||||
{
|
||||
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
|
||||
wireguardIp = "192.168.83.1";
|
||||
externalIp = "74.211.99.69";
|
||||
lighthouse = true;
|
||||
};
|
||||
vps7 =
|
||||
{
|
||||
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
|
||||
wireguardIp = "192.168.83.2";
|
||||
externalIp = "95.111.228.40";
|
||||
};
|
||||
pc = { publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; wireguardIp = "192.168.83.3"; };
|
||||
nas = { publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; wireguardIp = "192.168.83.4"; };
|
||||
xmupc1 = { publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk="; wireguardIp = "192.168.83.5"; };
|
||||
};
|
||||
};
|
||||
# wg genkey | wg pubkey
|
||||
publicKey = mkOption { type = types.nonEmptyStr; };
|
||||
wireguardIp = mkOption { type = types.nonEmptyStr; };
|
||||
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
lighthouse = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
@ -44,7 +19,6 @@ inputs:
|
||||
{
|
||||
networking =
|
||||
let
|
||||
self = wireguard._peer.${inputs.config.nixos.system.networking.hostname};
|
||||
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
|
||||
port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0);
|
||||
in
|
||||
@ -52,7 +26,7 @@ inputs:
|
||||
firewall = { allowedUDPPorts = [ port ]; trustedInterfaces = [ "wireguard" ]; };
|
||||
wireguard.interfaces.wireguard =
|
||||
{
|
||||
ips = [ "${self.wireguardIp}/24" ];
|
||||
ips = [ "${wireguard.wireguardIp}/24" ];
|
||||
listenPort = port;
|
||||
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
|
||||
peers = map
|
||||
@ -63,7 +37,9 @@ inputs:
|
||||
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
|
||||
persistentKeepalive = 3;
|
||||
})
|
||||
(map (peer: wireguard._peer.${peer}) wireguard.peers);
|
||||
(map
|
||||
(peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
|
||||
wireguard.peers);
|
||||
};
|
||||
};
|
||||
sops.secrets."wireguard/privateKey" = {};
|
||||
|
Loading…
Reference in New Issue
Block a user