forked from Deuxfleurs/nixcfg
use wgautomesh service definition from my nixpkgs PR
This commit is contained in:
parent
a31c6d109e
commit
2add84963d
3 changed files with 161 additions and 124 deletions
|
@ -7,9 +7,9 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
|
||||||
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
||||||
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||||
|
|
||||||
cmd mkdir -p /var/lib/wgautomesh
|
|
||||||
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
|
|
||||||
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
|
||||||
|
cmd mkdir -p /var/lib/deuxfleurs
|
||||||
|
write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/deuxfleurs/wgautomesh_gossip_secret
|
||||||
|
|
||||||
if [ "$CLUSTER" = "staging" ]; then
|
if [ "$CLUSTER" = "staging" ]; then
|
||||||
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
|
||||||
|
|
|
@ -207,18 +207,19 @@ in
|
||||||
};
|
};
|
||||||
services.wgautomesh = {
|
services.wgautomesh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interface = "wg0";
|
gossipSecretFile = "/var/lib/deuxfleurs/wgautomesh_gossip_secret";
|
||||||
gossipPort = 1666;
|
settings = {
|
||||||
gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
|
interface = "wg0";
|
||||||
persistFile = "/var/lib/wgautomesh/state";
|
gossip_port = 1666;
|
||||||
upnpForwardPublicPort =
|
upnp_forward_external_port =
|
||||||
if clusterNodeCfg.endpoint != null then
|
if clusterNodeCfg.endpoint != null then
|
||||||
strings.toInt (lists.last (split ":" clusterNodeCfg.endpoint))
|
strings.toInt (lists.last (split ":" clusterNodeCfg.endpoint))
|
||||||
else null;
|
else null;
|
||||||
peers = attrValues (mapAttrs (hostname: { publicKey, endpoint, address, ... }: {
|
peers = attrValues (mapAttrs (hostname: { publicKey, endpoint, address, ... }: {
|
||||||
inherit address endpoint;
|
inherit address endpoint;
|
||||||
pubkey = publicKey;
|
pubkey = publicKey;
|
||||||
}) cfg.clusterNodes);
|
}) cfg.clusterNodes);
|
||||||
|
};
|
||||||
};
|
};
|
||||||
# Old code for wg-quick, we can use this as a fallback if we fail to make wgautomesh work
|
# Old code for wg-quick, we can use this as a fallback if we fail to make wgautomesh work
|
||||||
# systemd.services."wg-quick-wg0".after = [ "unbound.service" ];
|
# systemd.services."wg-quick-wg0".after = [ "unbound.service" ];
|
||||||
|
|
|
@ -9,121 +9,157 @@ in
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.services.wgautomesh;
|
cfg = config.services.wgautomesh;
|
||||||
|
settingsFormat = pkgs.formats.toml { };
|
||||||
|
configFile =
|
||||||
|
# Have to remove nulls manually as TOML generator will not just skip key
|
||||||
|
# if value is null
|
||||||
|
settingsFormat.generate "wgautomesh-config.toml"
|
||||||
|
(filterAttrs (k: v: v != null)
|
||||||
|
(mapAttrs
|
||||||
|
(k: v:
|
||||||
|
if k == "peers"
|
||||||
|
then map (e: filterAttrs (k: v: v != null) e) v
|
||||||
|
else v)
|
||||||
|
cfg.settings));
|
||||||
|
runtimeConfigFile =
|
||||||
|
if cfg.enableGossipEncryption
|
||||||
|
then "/run/wgautomesh/wgautomesh.toml"
|
||||||
|
else configFile;
|
||||||
in
|
in
|
||||||
with builtins;
|
{
|
||||||
{
|
options.services.wgautomesh = {
|
||||||
options.services.wgautomesh = {
|
enable = mkEnableOption (mdDoc "the wgautomesh daemon");
|
||||||
enable = mkEnableOption "wgautomesh";
|
logLevel = mkOption {
|
||||||
logLevel = mkOption {
|
type = types.enum [ "trace" "debug" "info" "warn" "error" ];
|
||||||
type = types.enum [ "trace" "debug" "info" "warn" "error" ];
|
default = "info";
|
||||||
default = "info";
|
description = mdDoc "wgautomesh log level.";
|
||||||
description = "wgautomesh log level (trace/debug/info/warn/error)";
|
};
|
||||||
};
|
enableGossipEncryption = mkOption {
|
||||||
interface = mkOption {
|
type = types.bool;
|
||||||
type = types.str;
|
default = true;
|
||||||
description = "Wireguard interface to manage";
|
description = mdDoc "Enable encryption of gossip traffic.";
|
||||||
};
|
};
|
||||||
gossipPort = mkOption {
|
gossipSecretFile = mkOption {
|
||||||
type = types.port;
|
type = types.path;
|
||||||
description = "wgautomesh gossip port";
|
description = mdDoc ''
|
||||||
};
|
File containing the shared secret key to use for gossip encryption.
|
||||||
gossipSecretFile = mkOption {
|
Required if `enableGossipEncryption` is set.
|
||||||
type = types.nullOr types.str;
|
'';
|
||||||
description = "File containing the gossip secret encryption key";
|
};
|
||||||
};
|
enablePersistence = mkOption {
|
||||||
persistFile = mkOption {
|
type = types.bool;
|
||||||
type = types.nullOr types.str;
|
default = true;
|
||||||
description = "Path where to persist known peer addresses";
|
description = mdDoc "Enable persistence of Wireguard peer info between restarts.";
|
||||||
};
|
};
|
||||||
lanDiscovery = mkOption {
|
openFirewall = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = "Enable discovery using LAN broadcast";
|
description = mdDoc "Automatically open gossip port in firewall (recommended).";
|
||||||
};
|
};
|
||||||
openFirewall = mkOption {
|
settings = mkOption {
|
||||||
type = types.bool;
|
type = types.submodule {
|
||||||
default = true;
|
freeformType = settingsFormat.type;
|
||||||
description = "Automatically open gossip port in firewall";
|
options = {
|
||||||
};
|
interface = mkOption {
|
||||||
upnpForwardPublicPort = mkOption {
|
type = types.str;
|
||||||
type = types.nullOr types.port;
|
description = mdDoc ''
|
||||||
default = null;
|
Wireguard interface to manage (it is NOT created by wgautomesh, you
|
||||||
description = "Public port number to try to redirect to this machine using UPnP IGD";
|
should use another NixOS option to create it such as
|
||||||
};
|
`networking.wireguard.interfaces.wg0 = {...};`).
|
||||||
peers = mkOption {
|
'';
|
||||||
type = types.listOf (types.submodule {
|
example = "wg0";
|
||||||
options = {
|
|
||||||
pubkey = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Wireguard public key";
|
|
||||||
};
|
|
||||||
address = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Wireguard peer address";
|
|
||||||
};
|
|
||||||
endpoint = mkOption {
|
|
||||||
type = types.nullOr types.str;
|
|
||||||
description = "bootstrap endpoint";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
});
|
gossip_port = mkOption {
|
||||||
description = "wgautomesh peer list";
|
type = types.port;
|
||||||
|
description = mdDoc ''
|
||||||
|
wgautomesh gossip port, this MUST be the same number on all nodes in
|
||||||
|
the wgautomesh network.
|
||||||
|
'';
|
||||||
|
default = 1666;
|
||||||
|
};
|
||||||
|
lan_discovery = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = mdDoc "Enable discovery of peers on the same LAN using UDP broadcast.";
|
||||||
|
};
|
||||||
|
upnp_forward_external_port = mkOption {
|
||||||
|
type = types.nullOr types.port;
|
||||||
|
default = null;
|
||||||
|
description = mdDoc ''
|
||||||
|
Public port number to try to redirect to this machine's Wireguard
|
||||||
|
daemon using UPnP IGD.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
peers = mkOption {
|
||||||
|
type = types.listOf (types.submodule {
|
||||||
|
options = {
|
||||||
|
pubkey = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = mdDoc "Wireguard public key of this peer.";
|
||||||
|
};
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = mdDoc ''
|
||||||
|
Wireguard address of this peer (a single IP address, multliple
|
||||||
|
addresses or address ranges are not supported).
|
||||||
|
'';
|
||||||
|
example = "10.0.0.42";
|
||||||
|
};
|
||||||
|
endpoint = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
description = mdDoc ''
|
||||||
|
Bootstrap endpoint for connecting to this Wireguard peer if no
|
||||||
|
other address is known or none are working.
|
||||||
|
'';
|
||||||
|
default = null;
|
||||||
|
example = "wgnode.mydomain.example:51820";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = [ ];
|
||||||
|
description = mdDoc "wgautomesh peer list.";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
default = { };
|
||||||
|
description = mdDoc "Configuration for wgautomesh.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.wgautomesh.settings = {
|
||||||
|
gossip_secret_file = mkIf cfg.enableGossipEncryption "$CREDENTIALS_DIRECTORY/gossip_secret";
|
||||||
|
persist_file = mkIf cfg.enablePersistence "/var/lib/wgautomesh/state";
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable (
|
systemd.services.wgautomesh = {
|
||||||
let
|
path = [ pkgs.wireguard-tools ];
|
||||||
peerDefs = map (peer:
|
environment = { RUST_LOG = "wgautomesh=${cfg.logLevel}"; };
|
||||||
let endpointDef = if peer.endpoint == null then ""
|
description = "wgautomesh";
|
||||||
else ''endpoint = "${peer.endpoint}"'';
|
serviceConfig = {
|
||||||
in
|
Type = "simple";
|
||||||
''
|
|
||||||
[[peers]]
|
|
||||||
pubkey = "${peer.pubkey}"
|
|
||||||
address = "${peer.address}"
|
|
||||||
${endpointDef}
|
|
||||||
'') cfg.peers;
|
|
||||||
extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
|
|
||||||
++ (if (cfg.gossipSecretFile != null)
|
|
||||||
then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
|
|
||||||
++ (if (cfg.persistFile != null)
|
|
||||||
then [''persist_file = "${cfg.persistFile}"''] else [])
|
|
||||||
++ (if (cfg.upnpForwardPublicPort != null)
|
|
||||||
then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
|
|
||||||
configfile = pkgs.writeText "wgautomesh.toml" ''
|
|
||||||
interface = "${cfg.interface}"
|
|
||||||
gossip_port = ${toString cfg.gossipPort}
|
|
||||||
${concatStringsSep "\n" extraDefs}
|
|
||||||
|
|
||||||
${concatStringsSep "\n" peerDefs}
|
ExecStart = "${wgautomesh}/bin/wgautomesh ${runtimeConfigFile}";
|
||||||
'';
|
Restart = "always";
|
||||||
in {
|
RestartSec = "30";
|
||||||
systemd.services.wgautomesh = {
|
LoadCredential = mkIf cfg.enableGossipEncryption [ "gossip_secret:${cfg.gossipSecretFile}" ];
|
||||||
enable = true;
|
|
||||||
path = [ pkgs.wireguard-tools ];
|
|
||||||
environment = {
|
|
||||||
RUST_LOG = "wgautomesh=${cfg.logLevel}";
|
|
||||||
};
|
|
||||||
description = "wgautomesh";
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "simple";
|
|
||||||
|
|
||||||
ExecStart = "${wgautomesh}/bin/wgautomesh ${configfile}";
|
ExecStartPre = mkIf cfg.enableGossipEncryption [
|
||||||
Restart = "always";
|
''${pkgs.envsubst}/bin/envsubst \
|
||||||
RestartSec = "30";
|
-i ${configFile} \
|
||||||
|
-o ${runtimeConfigFile}''
|
||||||
|
];
|
||||||
|
|
||||||
ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
|
DynamicUser = true;
|
||||||
|
StateDirectory = "wgautomesh";
|
||||||
DynamicUser = true;
|
StateDirectoryMode = "0700";
|
||||||
User = "wgautomesh";
|
RuntimeDirectory = "wgautomesh";
|
||||||
StateDirectory = "wgautomesh";
|
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||||
StateDirectoryMode = "0700";
|
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
|
||||||
};
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
};
|
};
|
||||||
networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.gossipPort ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
});
|
};
|
||||||
}
|
networking.firewall.allowedUDPPorts =
|
||||||
|
mkIf cfg.openFirewall [ cfg.settings.gossip_port ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue