fix: move PersistentKeepalive from server to client in case the ip address changes

2025-10-11 07:10:39 +02:00 · 2023-06-01 01:24:03 +02:00 · 2023-06-01 01:24:03 +02:00 · c1fe238c75
commit c1fe238c75
parent 836dfa9fea
2 changed files with 19 additions and 18 deletions
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -213,15 +213,11 @@
          ++ map (clientNode: let
            clientCfg = wgCfgOf clientNode;
          in {
-            wireguardPeerConfig =
+            wireguardPeerConfig = {
-              {
+              PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
-                PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
+              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
+              AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
-                AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
+            };
              }
              // optionalAttrs clientCfg.client.keepalive {
                PersistentKeepalive = 25;
              };
          })
          ourClientNodes
        else
@ -230,15 +226,19 @@
            {
              wireguardPeerConfig = let
                snCfg = wgCfgOf wgCfg.client.via;
-              in {
+              in
-                PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
+                {
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
+                  PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
-                Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
+                  PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
-                # Access to the whole network is routed through our entry node.
+                  Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
-                # TODO this should add any routedAddresses on ANY server in the network, right?
+                  # Access to the whole network is routed through our entry node.
-                # if A entries via B and only C can route 0.0.0.0/0, does that work?
+                  # TODO this should add any routedAddresses on ANY server in the network, right?
-                AllowedIPs = networkCidrs;
+                  # if A entries via B and only C can route 0.0.0.0/0, does that work?
-              };
+                  AllowedIPs = networkCidrs;
                }
                // optionalAttrs wgCfg.client.keepalive {
                  PersistentKeepalive = 25;
                };
            }
          ];
    };
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -368,6 +368,7 @@ in rec {
        PresharedKey = $serverPsk
        AllowedIPs = ${concatStringsSep ", " networkCidrs}
        Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
        PersistentKeepalive = 25
        EOF
      '';
  };