sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: update to new agenix-rekey format

Browse source
This commit is contained in:
oddlama 2023-06-07 19:48:15 +02:00
parent 972b0456da
commit dec790c589
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
21 changed files with 195 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/extra.nix
View file

@ -58,7 +58,7 @@ in {
# SSL config
sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
sslDhparam = config.rekey.secrets."dhparams.pem".path;
sslDhparam = config.age.secrets."dhparams.pem".path;
commonHttpConfig = ''
error_log syslog:server=unix:/dev/log;
access_log syslog:server=unix:/dev/log;

20
modules/wireguard.nix
View file

@ -152,19 +152,21 @@
(genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
);
rekey.secrets =
age.secrets =
concatAttrs (map
(other: {
${peerPresharedKeySecret nodeName other} = {
file = peerPresharedKeyPath nodeName other;
rekeyFile = peerPresharedKeyPath nodeName other;
owner = "systemd-network";
# TODO gen func
};
})
neededPeers)
// {
${peerPrivateKeySecret nodeName} = {
file = peerPrivateKeyPath nodeName;
rekeyFile = peerPrivateKeyPath nodeName;
owner = "systemd-network";
# TODO gen func
};
};
@ -176,7 +178,7 @@
};
wireguardConfig =
{
PrivateKeyFile = config.rekey.secrets.${peerPrivateKeySecret nodeName}.path;
PrivateKeyFile = config.age.secrets.${peerPrivateKeySecret nodeName}.path;
}
// optionalAttrs isServer {
ListenPort = wgCfg.server.port;
@ -190,7 +192,7 @@
in {
wireguardPeerConfig = {
PublicKey = builtins.readFile (peerPublicKeyPath serverNode);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
AllowedIPs = serverAllowedIPs serverNode;
Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
};
@ -202,7 +204,7 @@
in {
wireguardPeerConfig = {
PublicKey = builtins.readFile (peerPublicKeyPath peerName);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName peerName}.path;
PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName peerName}.path;
AllowedIPs = map (net.cidr.make 128) ips;
# Connections to external peers should always be kept alive
PersistentKeepalive = 25;
@ -215,7 +217,7 @@
in {
wireguardPeerConfig = {
PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
};
})
@ -229,7 +231,7 @@
in
{
PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
# Access to the whole network is routed through our entry node.
# TODO this should add any routedAddresses on ANY server in the network, right?
@ -414,6 +416,6 @@ in {
};
config = mkIf (cfg != {}) (mergeToplevelConfigs
["assertions" "rekey" "networking" "systemd"]
["assertions" "age" "networking" "systemd"]
(mapAttrsToList configForNetwork cfg));
}