From 1630e37afdc99d0ef0cec89ec0ec098e980250f2 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 15 Apr 2023 16:29:37 +0200
Subject: [PATCH] feat(wireguard): qr generation finished

---
 hosts/ward/net.nix             |  1 +
 hosts/zackbiene/net.nix        |  1 +
 modules/wireguard.nix          | 19 +++++++++++++------
 nix/apps/show-wireguard-qr.nix | 27 +++------------------------
 nix/lib.nix                    | 29 +++++++++++++++++++++++++++++
 5 files changed, 47 insertions(+), 30 deletions(-)

diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 5cfc490..c024612 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -25,6 +25,7 @@
   extra.wireguard.vms = {
     server = {
       enable = true;
+      host = "ward";
       port = 51822;
       openFirewall = true;
       externalPeers = {
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index d2b2ed5..a20477e 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -21,6 +21,7 @@
   extra.wireguard.vms = {
     server = {
       enable = true;
+      host = "vms";
       port = 51822;
       openFirewall = true;
       externalPeers = {
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 5d41870..a3d9aa8 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -93,17 +93,19 @@
         if wgCfg.server.enable
         then
           # Always include all other server nodes.
-          map (serverNode: {
+          map (serverNode: let
+            snCfg = wgCfgOf serverNode;
+          in {
             wireguardPeerConfig = {
               PublicKey = builtins.readFile (peerPublicKeyPath serverNode);
               PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
               # The allowed ips of a server node are it's own addreses,
               # plus each external peer's addresses,
-              # plus each client's addresses that is connected via this node.
+              # plus each client's addresses that is connected via that node.
               AllowedIPs =
-                (wgCfgOf serverNode).addresses
-                ++ attrValues (wgCfgOf serverNode).server.externalPeers
-                ++ map (n: (wgCfgOf n).addresses) ourClientNodes;
+                snCfg.addresses
+                ++ attrValues snCfg.server.externalPeers; # TODO ++ map (n: (wgCfgOf n).addresses) snCfg.ourClientNodes;
+              Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
             };
           }) (filterSelf associatedServerNodes)
           # All our external peers
@@ -155,10 +157,15 @@ in {
         server = {
           enable = mkEnableOption (mdDoc "wireguard server");
 
+          host = mkOption {
+            type = types.str;
+            description = mdDoc "The hostname or ip address which other peers can use to reach this host.";
+          };
+
           port = mkOption {
             default = 51820;
             type = types.port;
-            description = mdDoc "The port to listen on, if {option}`listen` is `true`.";
+            description = mdDoc "The port to listen on.";
           };
 
           openFirewall = mkOption {
diff --git a/nix/apps/show-wireguard-qr.nix b/nix/apps/show-wireguard-qr.nix
index eefd563..5d906fc 100644
--- a/nix/apps/show-wireguard-qr.nix
+++ b/nix/apps/show-wireguard-qr.nix
@@ -12,8 +12,6 @@
     unique
     ;
 
-  inherit (self.extraLib) rageDecryptArgs;
-
   nodeNames = attrNames self.nodes;
   wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames);
 
@@ -39,27 +37,8 @@ in
     serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$json_sel")
     peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$json_sel")
 
-    serverPubkey=$(nix eval --raw ".#extraLib" \
-      --apply 'extraLib: builtins.readFile ((extraLib.wireguard "'"$wgName"'").peerPublicKeyPath "'"$serverNode"'")')
-    privKeyPath=$(nix eval --raw ".#extraLib" \
-      --apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPrivateKeyPath "'"$peer"'"')
-    serverPskPath=$(nix eval --raw ".#extraLib" \
-      --apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPresharedKeyPath "'"$serverNode"'" "'"$peer"'"')
+    createConfigScript=$(nix build --no-link --print-out-paths --impure --show-trace --expr \
+      'let flk = builtins.getFlake "${../../.}"; in (flk.extraLib.wireguard "'"$wgName"'").wgQuickConfigScript "${pkgs.system}" "'"$serverNode"'" "'"$peer"'"')
 
-    privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$privKeyPath") \
-      || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
-    serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$serverPskPath") \
-      || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
-
-    cat <<EOF | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
-    [Interface]
-    Address =
-    PrivateKey = $privKey
-
-    [Peer]
-    PublicKey = $serverPubkey
-    PresharedKey = $serverPsk
-    AllowedIPs =
-    Endpoint =
-    EOF
+    "$createConfigScript" | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
   ''
diff --git a/nix/lib.nix b/nix/lib.nix
index d844ebe..9bdcfde 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -9,6 +9,7 @@
     attrValues
     concatMap
     concatMapStrings
+    concatStringsSep
     escapeShellArg
     filter
     flatten
@@ -18,6 +19,7 @@
     mergeAttrs
     nameValuePair
     partition
+    removeSuffix
     substring
     unique
     ;
@@ -123,5 +125,32 @@ in rec {
     usedAddresses =
       concatMap (n: self.nodes.${n}.config.extra.wireguard.${wgName}.addresses) associatedNodes
       ++ flatten (concatMap (n: attrValues self.nodes.${n}.config.extra.wireguard.${wgName}.server.externalPeers) associatedNodes);
+
+    # Creates a script that when executed outputs a wg-quick compatible configuration
+    # file for use with external peers. This is a script so we can access secrets without
+    # storing them in the nix-store.
+    wgQuickConfigScript = system: serverNode: extPeer: let
+      pkgs = self.pkgs.${system};
+      snCfg = self.nodes.${serverNode}.config.extra.wireguard.${wgName};
+      peerName = externalPeerName extPeer;
+    in
+      pkgs.writeShellScript "create-wg-conf-${wgName}-${serverNode}-${extPeer}" ''
+        privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPrivateKeyPath peerName)}) \
+          || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+        serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPresharedKeyPath serverNode peerName)}) \
+          || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+
+        cat <<EOF
+        [Interface]
+        Address = ${concatStringsSep ", " snCfg.server.externalPeers.${extPeer}}
+        PrivateKey = $privKey
+
+        [Peer]
+        PublicKey = ${removeSuffix "\n" (builtins.readFile (peerPublicKeyPath serverNode))}
+        PresharedKey = $serverPsk
+        AllowedIPs = ${concatStringsSep ", " snCfg.addresses}
+        Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
+        EOF
+      '';
   };
 }