mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat(wireguard): qr generation finished

Browse source
This commit is contained in:
oddlama 2023-04-15 16:29:37 +02:00
parent d5f2880457
commit 1630e37afd
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 47 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/ward/net.nix
View file

@ -25,6 +25,7 @@
extra.wireguard.vms = { extra.wireguard.vms = {
server = { server = {
enable = true; enable = true;
host = "ward";
port = 51822; port = 51822;
openFirewall = true; openFirewall = true;
externalPeers = { externalPeers = {

1
hosts/zackbiene/net.nix
View file

@ -21,6 +21,7 @@
extra.wireguard.vms = { extra.wireguard.vms = {
server = { server = {
enable = true; enable = true;
host = "vms";
port = 51822; port = 51822;
openFirewall = true; openFirewall = true;
externalPeers = { externalPeers = {

19
modules/wireguard.nix
View file

@ -93,17 +93,19 @@
if wgCfg.server.enable if wgCfg.server.enable
then then
# Always include all other server nodes. # Always include all other server nodes.
map (serverNode: { map (serverNode: let
snCfg = wgCfgOf serverNode;
in {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = builtins.readFile (peerPublicKeyPath serverNode); PublicKey = builtins.readFile (peerPublicKeyPath serverNode);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path; PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
# The allowed ips of a server node are it's own addreses, # The allowed ips of a server node are it's own addreses,
# plus each external peer's addresses, # plus each external peer's addresses,
# plus each client's addresses that is connected via this node. # plus each client's addresses that is connected via that node.
AllowedIPs = AllowedIPs =
(wgCfgOf serverNode).addresses snCfg.addresses
++ attrValues (wgCfgOf serverNode).server.externalPeers ++ attrValues snCfg.server.externalPeers; # TODO ++ map (n: (wgCfgOf n).addresses) snCfg.ourClientNodes;
++ map (n: (wgCfgOf n).addresses) ourClientNodes; Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
}; };
}) (filterSelf associatedServerNodes) }) (filterSelf associatedServerNodes)
# All our external peers # All our external peers
@ -155,10 +157,15 @@ in {
server = { server = {
enable = mkEnableOption (mdDoc "wireguard server"); enable = mkEnableOption (mdDoc "wireguard server");
host = mkOption {
type = types.str;
description = mdDoc "The hostname or ip address which other peers can use to reach this host.";
};
port = mkOption { port = mkOption {
default = 51820; default = 51820;
type = types.port; type = types.port;
description = mdDoc "The port to listen on, if {option}`listen` is `true`."; description = mdDoc "The port to listen on.";
}; };
openFirewall = mkOption { openFirewall = mkOption {

27
nix/apps/show-wireguard-qr.nix
View file

@ -12,8 +12,6 @@
unique unique
; ;
inherit (self.extraLib) rageDecryptArgs;
nodeNames = attrNames self.nodes; nodeNames = attrNames self.nodes;
wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames); wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames);
@ -39,27 +37,8 @@ in
serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$json_sel") serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$json_sel")
peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$json_sel") peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$json_sel")
serverPubkey=$(nix eval --raw ".#extraLib" \ createConfigScript=$(nix build --no-link --print-out-paths --impure --show-trace --expr \
--apply 'extraLib: builtins.readFile ((extraLib.wireguard "'"$wgName"'").peerPublicKeyPath "'"$serverNode"'")') 'let flk = builtins.getFlake "${../../.}"; in (flk.extraLib.wireguard "'"$wgName"'").wgQuickConfigScript "${pkgs.system}" "'"$serverNode"'" "'"$peer"'"')
privKeyPath=$(nix eval --raw ".#extraLib" \
--apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPrivateKeyPath "'"$peer"'"')
serverPskPath=$(nix eval --raw ".#extraLib" \
--apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPresharedKeyPath "'"$serverNode"'" "'"$peer"'"')
privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$privKeyPath") \ "$createConfigScript" | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$serverPskPath") \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
cat <<EOF | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
[Interface]
Address =
PrivateKey = $privKey
[Peer]
PublicKey = $serverPubkey
PresharedKey = $serverPsk
AllowedIPs =
Endpoint =
EOF
'' ''

29
nix/lib.nix
View file

@ -9,6 +9,7 @@
attrValues attrValues
concatMap concatMap
concatMapStrings concatMapStrings
concatStringsSep
escapeShellArg escapeShellArg
filter filter
flatten flatten
@ -18,6 +19,7 @@
mergeAttrs mergeAttrs
nameValuePair nameValuePair
partition partition
removeSuffix
substring substring
unique unique
; ;
@ -123,5 +125,32 @@ in rec {
usedAddresses = usedAddresses =
concatMap (n: self.nodes.${n}.config.extra.wireguard.${wgName}.addresses) associatedNodes concatMap (n: self.nodes.${n}.config.extra.wireguard.${wgName}.addresses) associatedNodes
++ flatten (concatMap (n: attrValues self.nodes.${n}.config.extra.wireguard.${wgName}.server.externalPeers) associatedNodes); ++ flatten (concatMap (n: attrValues self.nodes.${n}.config.extra.wireguard.${wgName}.server.externalPeers) associatedNodes);
# Creates a script that when executed outputs a wg-quick compatible configuration
# file for use with external peers. This is a script so we can access secrets without
# storing them in the nix-store.
wgQuickConfigScript = system: serverNode: extPeer: let
pkgs = self.pkgs.${system};
snCfg = self.nodes.${serverNode}.config.extra.wireguard.${wgName};
peerName = externalPeerName extPeer;
in
pkgs.writeShellScript "create-wg-conf-${wgName}-${serverNode}-${extPeer}" ''
privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPrivateKeyPath peerName)}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPresharedKeyPath serverNode peerName)}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
cat <<EOF
[Interface]
Address = ${concatStringsSep ", " snCfg.server.externalPeers.${extPeer}}
PrivateKey = $privKey
[Peer]
PublicKey = ${removeSuffix "\n" (builtins.readFile (peerPublicKeyPath serverNode))}
PresharedKey = $serverPsk
AllowedIPs = ${concatStringsSep ", " snCfg.addresses}
Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
EOF
'';
}; };
} }