Wireguard directly using LAN addresses when possible

This commit is contained in:
Alex 2022-02-26 00:13:08 +01:00
parent 0940e0bdfc
commit 86b9873221
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
2 changed files with 20 additions and 2 deletions

View file

@ -5,27 +5,34 @@
deuxfleurs.cluster_nodes = [ deuxfleurs.cluster_nodes = [
{ {
hostname = "spoutnik"; hostname = "spoutnik";
site_name = "pluton";
publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg="; publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
IP = "10.42.2.2"; IP = "10.42.2.2";
endpoint = "77.141.67.109:42136"; endpoint = "77.141.67.109:42136";
} }
{ {
hostname = "cariacou"; hostname = "cariacou";
site_name = "neptune";
publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA="; publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
IP = "10.42.2.21"; IP = "10.42.2.21";
endpoint = "82.66.112.151:33721"; endpoint = "82.66.112.151:33721";
lan_endpoint = "192.168.1.21:33721";
} }
{ {
hostname = "carcajou"; hostname = "carcajou";
site_name = "neptune";
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
IP = "10.42.2.22"; IP = "10.42.2.22";
endpoint = "82.66.112.151:33722"; endpoint = "82.66.112.151:33722";
lan_endpoint = "192.168.1.22:33722";
} }
{ {
hostname = "caribou"; hostname = "caribou";
site_name = "neptune";
publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY="; publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
IP = "10.42.2.23"; IP = "10.42.2.23";
endpoint = "82.66.112.151:33723"; endpoint = "82.66.112.151:33723";
lan_endpoint = "192.168.1.23:33723";
} }
]; ];
deuxfleurs.admin_nodes = [ deuxfleurs.admin_nodes = [

View file

@ -13,6 +13,11 @@ in
type = str; type = str;
description = "Host name"; description = "Host name";
}; };
site_name = mkOption {
type = nullOr str;
description = "Site where the node is located";
default = null;
};
IP = mkOption { IP = mkOption {
type = str; type = str;
description = "IP Address"; description = "IP Address";
@ -25,6 +30,11 @@ in
type = nullOr str; type = nullOr str;
description = "Wireguard endpoint on the public Internet"; description = "Wireguard endpoint on the public Internet";
}; };
lan_endpoint = mkOption {
type = nullOr str;
description = "Wireguard endpoint for nodes in the same site";
default = null;
};
}; };
}; };
in in
@ -115,10 +125,11 @@ in
ips = [ "${cfg.vpn_ip}/16" ]; ips = [ "${cfg.vpn_ip}/16" ];
listenPort = cfg.vpn_listen_port; listenPort = cfg.vpn_listen_port;
privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private"; privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
peers = map ({ publicKey, endpoint, IP, ... }: { peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
publicKey = publicKey; publicKey = publicKey;
allowedIPs = [ "${IP}/32" ]; allowedIPs = [ "${IP}/32" ];
endpoint = endpoint; endpoint = if site_name != null && site_name == config.deuxfleurs.site_name && lan_endpoint != null
then lan_endpoint else endpoint;
persistentKeepalive = 25; persistentKeepalive = 25;
}) (cfg.cluster_nodes ++ cfg.admin_nodes); }) (cfg.cluster_nodes ++ cfg.admin_nodes);
}; };