sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(wireguard): qr generation finished

Browse source
This commit is contained in:
oddlama 2023-04-15 16:29:37 +02:00
parent d5f2880457
commit 1630e37afd
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 47 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/ward/net.nix
View file

@ -25,6 +25,7 @@
extra.wireguard.vms = {
server = {
enable = true;
host = "ward";
port = 51822;
openFirewall = true;
externalPeers = {

1
hosts/zackbiene/net.nix
View file

@ -21,6 +21,7 @@
extra.wireguard.vms = {
server = {
enable = true;
host = "vms";
port = 51822;
openFirewall = true;
externalPeers = {

19
modules/wireguard.nix
View file

@ -93,17 +93,19 @@
if wgCfg.server.enable
then
# Always include all other server nodes.
map (serverNode: {
map (serverNode: let
snCfg = wgCfgOf serverNode;
in {
wireguardPeerConfig = {
PublicKey = builtins.readFile (peerPublicKeyPath serverNode);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
# The allowed ips of a server node are it's own addreses,
# plus each external peer's addresses,
# plus each client's addresses that is connected via this node.
# plus each client's addresses that is connected via that node.
AllowedIPs =
(wgCfgOf serverNode).addresses
++ attrValues (wgCfgOf serverNode).server.externalPeers
++ map (n: (wgCfgOf n).addresses) ourClientNodes;
snCfg.addresses
++ attrValues snCfg.server.externalPeers; # TODO ++ map (n: (wgCfgOf n).addresses) snCfg.ourClientNodes;
Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
};
}) (filterSelf associatedServerNodes)
# All our external peers
@ -155,10 +157,15 @@ in {
server = {
enable = mkEnableOption (mdDoc "wireguard server");
host = mkOption {
type = types.str;
description = mdDoc "The hostname or ip address which other peers can use to reach this host.";
};
port = mkOption {
default = 51820;
type = types.port;
description = mdDoc "The port to listen on, if {option}`listen` is `true`.";
description = mdDoc "The port to listen on.";
};
openFirewall = mkOption {

27
nix/apps/show-wireguard-qr.nix
View file

@ -12,8 +12,6 @@
unique
;
inherit (self.extraLib) rageDecryptArgs;
nodeNames = attrNames self.nodes;
wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames);
@ -39,27 +37,8 @@ in
serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$json_sel")
peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$json_sel")
serverPubkey=$(nix eval --raw ".#extraLib" \
--apply 'extraLib: builtins.readFile ((extraLib.wireguard "'"$wgName"'").peerPublicKeyPath "'"$serverNode"'")')
privKeyPath=$(nix eval --raw ".#extraLib" \
--apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPrivateKeyPath "'"$peer"'"')
serverPskPath=$(nix eval --raw ".#extraLib" \
--apply 'extraLib: (extraLib.wireguard "'"$wgName"'").peerPresharedKeyPath "'"$serverNode"'" "'"$peer"'"')
createConfigScript=$(nix build --no-link --print-out-paths --impure --show-trace --expr \
'let flk = builtins.getFlake "${../../.}"; in (flk.extraLib.wireguard "'"$wgName"'").wgQuickConfigScript "${pkgs.system}" "'"$serverNode"'" "'"$peer"'"')
privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$privKeyPath") \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} "$serverPskPath") \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
cat <<EOF | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
[Interface]
Address =
PrivateKey = $privKey
[Peer]
PublicKey = $serverPubkey
PresharedKey = $serverPsk
AllowedIPs =
Endpoint =
EOF
"$createConfigScript" | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
''

29
nix/lib.nix
View file

@ -9,6 +9,7 @@
attrValues
concatMap
concatMapStrings
concatStringsSep
escapeShellArg
filter
flatten
@ -18,6 +19,7 @@
mergeAttrs
nameValuePair
partition
removeSuffix
substring
unique
;
@ -123,5 +125,32 @@ in rec {
usedAddresses =
concatMap (n: self.nodes.${n}.config.extra.wireguard.${wgName}.addresses) associatedNodes
++ flatten (concatMap (n: attrValues self.nodes.${n}.config.extra.wireguard.${wgName}.server.externalPeers) associatedNodes);
# Creates a script that when executed outputs a wg-quick compatible configuration
# file for use with external peers. This is a script so we can access secrets without
# storing them in the nix-store.
wgQuickConfigScript = system: serverNode: extPeer: let
pkgs = self.pkgs.${system};
snCfg = self.nodes.${serverNode}.config.extra.wireguard.${wgName};
peerName = externalPeerName extPeer;
in
pkgs.writeShellScript "create-wg-conf-${wgName}-${serverNode}-${extPeer}" ''
privKey=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPrivateKeyPath peerName)}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
serverPsk=$(${pkgs.rage}/bin/rage -d ${rageDecryptArgs} ${escapeShellArg (peerPresharedKeyPath serverNode peerName)}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
cat <<EOF
[Interface]
Address = ${concatStringsSep ", " snCfg.server.externalPeers.${extPeer}}
PrivateKey = $privKey
[Peer]
PublicKey = ${removeSuffix "\n" (builtins.readFile (peerPublicKeyPath serverNode))}
PresharedKey = $serverPsk
AllowedIPs = ${concatStringsSep ", " snCfg.addresses}
Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
EOF
'';
};
}