fix: move PersistentKeepalive from server to client in case the ip address changes

2023-06-01 01:24:03 +02:00 · 2023-06-01 01:24:03 +02:00 · c1fe238c75
commit c1fe238c75
parent 836dfa9fea
2 changed files with 19 additions and 18 deletions
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -213,15 +213,11 @@
          ++ map (clientNode: let
            clientCfg = wgCfgOf clientNode;
          in {
-            wireguardPeerConfig =
-              {
-                PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
-                AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
-              }
-              // optionalAttrs clientCfg.client.keepalive {
-                PersistentKeepalive = 25;
-              };
+            wireguardPeerConfig = {
+              PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
+              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
+              AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
+            };
          })
          ourClientNodes
        else
@ -230,15 +226,19 @@
            {
              wireguardPeerConfig = let
                snCfg = wgCfgOf wgCfg.client.via;
-              in {
-                PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
-                Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
-                # Access to the whole network is routed through our entry node.
-                # TODO this should add any routedAddresses on ANY server in the network, right?
-                # if A entries via B and only C can route 0.0.0.0/0, does that work?
-                AllowedIPs = networkCidrs;
-              };
+              in
+                {
+                  PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
+                  PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
+                  Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
+                  # Access to the whole network is routed through our entry node.
+                  # TODO this should add any routedAddresses on ANY server in the network, right?
+                  # if A entries via B and only C can route 0.0.0.0/0, does that work?
+                  AllowedIPs = networkCidrs;
+                }
+                // optionalAttrs wgCfg.client.keepalive {
+                  PersistentKeepalive = 25;
+                };
            }
          ];
    };