cleanup modules

author: Max Audron <audron@cocaine.farm> 2023-08-11 16:51:35 +0200
committer: Max Audron <audron@cocaine.farm> 2023-08-11 16:51:35 +0200
commit: 40790797e111cec5ff682806998d50c38ed7bca9 (patch)
tree: 6db95b93f0797a62637845ea4bda5a3eedbc9306 /modules/wireguard
parent: move nixinate to own flake (diff)
2 files changed, 79 insertions, 55 deletions
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
index c9fc063..345af3e 100644
--- a/modules/wireguard/default.nix
+++ b/modules/wireguard/default.nix
@@ -3,65 +3,73 @@
 with lib; {
   imports = [ ./options.nix ./roaming.nix ];
 
-  config = mkIf config.wireguard.enable (let
-    cfg = config.wireguard;
+  config = mkIf config.wireguard.enable (
+    let
+      cfg = config.wireguard;
 
-    peers = let
-      attrPeers = mapAttrs (n: node:
-        let peer = node.config.wireguard;
-        in {
-          endpoint =
-            "${node.config.deployment.targetHost}:${toString peer.port}";
-          publicKey = peer.publicKey;
-          persistentKeepalive = 25;
-          allowedIPs = [
-            "${peer.v4.address}/32"
-            "${peer.v6.ula}::${peer.v6.address}/128"
-            "${peer.v6.gua}::${peer.v6.address}/128"
-          ] ++ peer.allowedIPs;
-        }) (filterAttrs (n: node: node.config.wireguard.enable) nodes);
-      peers = attrValues attrPeers;
-    in peers;
-  in {
-    secrets = mkIf config.wireguard.enable {
-      wireguard = {
-        source = ../../secrets
-          + ("/" + "${config.networking.hostName}.privkey");
-        dest = "/root/wireguard/privkey";
+      peers =
+        let
+          attrPeers = mapAttrs
+            (n: node:
+              let peer = node.config.wireguard;
+              in
+              {
+                endpoint =
+                  "${node.config.deployment.targetHost}:${toString peer.port}";
+                publicKey = peer.publicKey;
+                persistentKeepalive = 25;
+                allowedIPs = [
+                  "${peer.v4.address}/32"
+                  "${peer.v6.ula}::${peer.v6.address}/128"
+                  "${peer.v6.gua}::${peer.v6.address}/128"
+                ] ++ peer.allowedIPs;
+              })
+            (filterAttrs (n: node: node.config.wireguard.enable) nodes);
+          peers = attrValues attrPeers;
+        in
+        peers;
+    in
+    {
+      secrets = mkIf config.wireguard.enable {
+        wireguard = {
+          source = ../../secrets
+            + ("/" + "${config.networking.hostName}.privkey");
+          dest = "/root/wireguard/privkey";
+        };
       };
-    };
 
-    networking.wireguard.interfaces = mkIf config.wireguard.enable {
-      wg0 = with { ifname = "wg0"; }; {
-        ips = [
-          "${cfg.v4.address}/${toString cfg.v4.prefixLength}"
-          "${cfg.v6.ula}::${cfg.v6.address}/128"
-          "${cfg.v6.gua}::${cfg.v6.address}/128"
-        ];
-        listenPort = cfg.port;
-        postSetup = ''
-          ${pkgs.nftables}/bin/nft add table ${ifname}
-          ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }'
-          ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }'
-          ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${
-            toString cfg.v4.prefixLength
-          } oif ${cfg.natInterface} masquerade
+      networking.wireguard.interfaces = mkIf config.wireguard.enable {
+        wg0 = with { ifname = "wg0"; }; {
+          ips = [
+            "${cfg.v4.address}/${toString cfg.v4.prefixLength}"
+            "${cfg.v6.ula}::${cfg.v6.address}/128"
+            "${cfg.v6.gua}::${cfg.v6.address}/128"
+          ];
+          listenPort = cfg.port;
+          postSetup = ''
+            ${pkgs.nftables}/bin/nft add table ${ifname}
+            ${pkgs.nftables}/bin/nft 'add chain ${ifname} prerouting { type nat hook prerouting priority 0 ; }'
+            ${pkgs.nftables}/bin/nft 'add chain ${ifname} postrouting { type nat hook postrouting priority 100 ; }'
+            ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${
+              toString cfg.v4.prefixLength
+            } oif ${cfg.natInterface} masquerade
 
-          ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on
-        '';
-        postShutdown = ''
-          ${pkgs.nftables}/bin/nft flush table ${ifname}
-          ${pkgs.nftables}/bin/nft delete table ${ifname}
-        '';
-        privateKeyFile = "/root/wireguard/privkey";
-        peers = peers;
+            ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on
+          '';
+          postShutdown = ''
+            ${pkgs.nftables}/bin/nft flush table ${ifname}
+            ${pkgs.nftables}/bin/nft delete table ${ifname}
+          '';
+          privateKeyFile = "/root/wireguard/privkey";
+          peers = peers;
+        };
       };
-    };
 
-    boot.kernel.sysctl = {
-      "net.ipv4.ip_forward" = lib.mkDefault true;
-      "net.ipv6.conf.all.forwarding" = true;
-      "net.netfilter.nf_conntrack_tcp_be_liberal" = true;
-    };
-  });
+      boot.kernel.sysctl = {
+        "net.ipv4.ip_forward" = lib.mkDefault true;
+        "net.ipv6.conf.all.forwarding" = true;
+        "net.netfilter.nf_conntrack_tcp_be_liberal" = true;
+      };
+    }
+  );
 }
diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix
index 903716e..69013d0 100644
--- a/modules/wireguard/options.nix
+++ b/modules/wireguard/options.nix
@@ -5,62 +5,78 @@ with lib; {
     wireguard = {
       enable = mkOption {
         type = types.bool;
+        default = false;
         description = "Enable wireguard";
       };
+
       roaming = mkOption {
         type = types.bool;
         description = "Deploy roaming peers to this host";
         default = false;
       };
+
       port = mkOption {
         type = types.int;
         description = "Port of the wireguard interface (51820)";
         default = 51820;
       };
+
       publicKey = mkOption {
         type = types.str;
         description = "Public key of the wireguard interface";
       };
+
       natInterface = mkOption {
         type = types.str;
         description = "Interface to use for outgoing NAT connections";
         default = "eth0";
       };
+
       v4 = {
         address = mkOption {
           type = types.str;
           description = "IP of the wireguard interface (10.10.0.1)";
         };
+
         network = mkOption {
           type = types.str;
           description = "The Network CIDR of the wireguard network (10.10.0.0)";
+          default = "10.10.0.0";
         };
+
         prefixLength = mkOption {
           type = types.int;
           description = "Prefix Length of the wireguard interface IP (24)";
           default = 24;
         };
       };
+
       v6 = {
         address = mkOption {
           type = types.str;
           description = "IP of the wireguard interface ()";
         };
+
         prefixLength = mkOption {
           type = types.int;
           description = "Prefix Length of the wireguard interface IP (24)";
           default = 64;
         };
+
         ula = mkOption {
           type = types.str;
           description = "Unique Local Alloctation for IPv6 net";
+          default = "fd15:3d8c:d429:beef";
         };
+
         gua = mkOption {
           type = types.str;
           description =
             "Global Unique Allocation for IPv6 net, used as base for hosts";
+          default = "2a0f:9400:8020:beef";
         };
       };
+
       allowedIPs = mkOption {
         type = types.listOf types.str;
         description = "Extra allowedIPs";
author	Max Audron <audron@cocaine.farm>	2023-08-11 16:51:35 +0200
committer	Max Audron <audron@cocaine.farm>	2023-08-11 16:51:35 +0200
commit	40790797e111cec5ff682806998d50c38ed7bca9 (patch)
tree	6db95b93f0797a62637845ea4bda5a3eedbc9306 /modules/wireguard
parent	move nixinate to own flake (diff)