From 86b98732212661c4398c21d1be689d8a1a5b5263 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Sat, 26 Feb 2022 00:13:08 +0100
Subject: [PATCH] Wireguard directly using LAN addresses when possible

---
 cluster/staging/cluster.nix |  7 +++++++
 nix/deuxfleurs.nix          | 15 +++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 2b6cb6c..79fb3fb 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -5,27 +5,34 @@
   deuxfleurs.cluster_nodes = [
     {
       hostname = "spoutnik";
+      site_name = "pluton";
       publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
       IP = "10.42.2.2";
       endpoint = "77.141.67.109:42136";
     }
     { 
       hostname = "cariacou";
+      site_name = "neptune";
       publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
       IP = "10.42.2.21";
       endpoint = "82.66.112.151:33721";
+      lan_endpoint = "192.168.1.21:33721";
     }
     { 
       hostname = "carcajou";
+      site_name = "neptune";
       publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
       IP = "10.42.2.22";
       endpoint = "82.66.112.151:33722";
+      lan_endpoint = "192.168.1.22:33722";
     }
     { 
       hostname = "caribou";
+      site_name = "neptune";
       publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
       IP = "10.42.2.23";
       endpoint = "82.66.112.151:33723";
+      lan_endpoint = "192.168.1.23:33723";
     }
   ];
   deuxfleurs.admin_nodes = [
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index fc39071..a860a36 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -13,6 +13,11 @@ in
           type = str;
           description = "Host name";
         };
+        site_name = mkOption {
+          type = nullOr str;
+          description = "Site where the node is located";
+          default = null;
+        };
         IP = mkOption {
           type = str;
           description = "IP Address";
@@ -25,6 +30,11 @@ in
           type = nullOr str;
           description = "Wireguard endpoint on the public Internet";
         };
+        lan_endpoint = mkOption {
+          type = nullOr str;
+          description = "Wireguard endpoint for nodes in the same site";
+          default = null;
+        };
       };
     };
   in
@@ -115,10 +125,11 @@ in
       ips = [ "${cfg.vpn_ip}/16" ];
       listenPort = cfg.vpn_listen_port;
       privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
-      peers = map ({ publicKey, endpoint, IP, ... }: {
+      peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
         publicKey = publicKey;
         allowedIPs = [ "${IP}/32" ];
-        endpoint = endpoint;
+        endpoint = if site_name != null && site_name == config.deuxfleurs.site_name && lan_endpoint != null
+                   then lan_endpoint else endpoint;
         persistentKeepalive = 25;
       }) (cfg.cluster_nodes ++ cfg.admin_nodes);
     };