Passer wgautomesh en prod #9
4 changed files with 18 additions and 2 deletions
|
@ -34,7 +34,7 @@
|
|||
site_name = "corrin";
|
||||
publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
|
||||
IP = "10.14.3.1";
|
||||
endpoint = "82.120.233.78:33721";
|
||||
#endpoint = "82.120.233.78:33721";
|
||||
}
|
||||
{
|
||||
hostname = "df-pw5";
|
||||
|
|
|
@ -9,6 +9,9 @@ copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
|||
|
||||
if [ "$CLUSTER" = "staging" ]; then
|
||||
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
||||
|
||||
cmd mkdir -p /var/lib/wgautomesh
|
||||
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
|
||||
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
||||
fi
|
||||
|
||||
|
|
|
@ -249,6 +249,7 @@ in
|
|||
enable = true;
|
||||
interface = "wg0";
|
||||
gossipPort = 1666;
|
||||
gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
|
||||
upnpForwardPublicPort =
|
||||
let
|
||||
us = filter ({ hostname, ...}: hostname == config.networking.hostName) cfg.cluster_nodes;
|
||||
|
|
|
@ -23,6 +23,10 @@ in
|
|||
type = types.port;
|
||||
description = "wgautomesh gossip port";
|
||||
};
|
||||
gossipSecretFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = "File containing the gossip secret encryption key";
|
||||
};
|
||||
lanDiscovery = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
|
@ -72,13 +76,16 @@ in
|
|||
${endpointDef}
|
||||
'') cfg.peers;
|
||||
extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
|
||||
++ (if (cfg.gossipSecretFile != null)
|
||||
then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
|
||||
++ (if (cfg.upnpForwardPublicPort != null)
|
||||
then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
|
||||
configfile = pkgs.writeText "wgautomesh.toml" ''
|
||||
interface = "${cfg.interface}"
|
||||
gossip_port = ${toString cfg.gossipPort}
|
||||
${concatStringsSep "\n" extraDefs}
|
||||
|
||||
${concatStringsSep "\n" (extraDefs ++ peerDefs)}
|
||||
${concatStringsSep "\n" peerDefs}
|
||||
'';
|
||||
in {
|
||||
systemd.services.wgautomesh = {
|
||||
|
@ -95,7 +102,12 @@ in
|
|||
Restart = "always";
|
||||
RestartSec = "30";
|
||||
|
||||
ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
|
||||
|
||||
DynamicUser = true;
|
||||
User = "wgautomesh";
|
||||
StateDirectory = "wgautomesh";
|
||||
StateDirectoryMode = "0700";
|
||||
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue