CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:7d8f3fb6a847a83ee23859a4ad9fcdb6e628a36f
Branches Tags
CaZzzer:master
CaZzzer:updates
CaZzzer:router/home-assistant
CaZzzer:router/keepalived
CaZzzer:router/module-1
CaZzzer:router/module
CaZzzer:router/desktop
CaZzzer:router/wireguard
CaZzzer:home/refactor
CaZzzer:feature/glance
CaZzzer:feature/router-4
CaZzzer:feature/router-3
CaZzzer:feature/router-1
CaZzzer:feature/router
CaZzzer:feature/router-2
CaZzzer:feature/home-manager
CaZzzer:feature/ollama
..
compare: CaZzzer:5c79cbf6947a09439d03b58039aa28662dccf7a5
Branches Tags
CaZzzer:updates
CaZzzer:master
CaZzzer:router/home-assistant
CaZzzer:router/keepalived
CaZzzer:router/module-1
CaZzzer:router/module
CaZzzer:router/desktop
CaZzzer:router/wireguard
CaZzzer:home/refactor
CaZzzer:feature/glance
CaZzzer:feature/router-4
CaZzzer:feature/router-3
CaZzzer:feature/router-1
CaZzzer:feature/router
CaZzzer:feature/router-2
CaZzzer:feature/home-manager
CaZzzer:feature/ollama

No commits in common. "7d8f3fb6a847a83ee23859a4ad9fcdb6e628a36f" and "5c79cbf6947a09439d03b58039aa28662dccf7a5" have entirely different histories.
7d8f3fb6a8 ... 5c79cbf694

2 changed files with 22 additions and 22 deletions
Show Stats Expand all files Collapse all files

1
hosts/router/firewall.nix
View File

@ -13,7 +13,6 @@ let
${ifs.lan30.name}, ${ifs.lan30.name},
${ifs.lan40.name}, ${ifs.lan40.name},
${ifs.lan50.name}, ${ifs.lan50.name},
wg0,
} }
define OPNSENSE_NET6 = ${vars.extra.opnsense.net6} define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
define ZONE_LAN_EXTRA_NET6 = { define ZONE_LAN_EXTRA_NET6 = {

43
hosts/router/wireguard.nix
View File

@ -2,55 +2,56 @@
let let
vars = import ./vars.nix; vars = import ./vars.nix;
wg0Peers = { wg0Peers = [
"Yura-TPX13" = { {
name = "Yura-TPX13";
allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ]; allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ];
publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08="; publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
pskEnabled = true; pskEnabled = true;
}; }
"Yura-Pixel7Pro" = { {
name = "Yura-Pixel7Pro";
allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ]; allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ];
publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4="; publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
pskEnabled = true; pskEnabled = true;
}; }
"AsusS513" = { {
name = "AsusS513";
allowedIPs = [ "10.6.0.100/32" ]; allowedIPs = [ "10.6.0.100/32" ];
publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38="; publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
pskEnabled = true; pskEnabled = true;
}; }
}; ];
in in
{ {
secrix.services.systemd-networkd.secrets = let secrix.services.systemd-networkd.secrets = let
peerSecretName = name: "wg0-peer-${name}-psk"; pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
mapPeer = name: peer: { peerToSecretAttrs = peer: {
name = peerSecretName name; name = "wg0-peer-${peer.name}-psk";
value = if peer.pskEnabled then {encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;} else null; value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age;
}; };
peerSecrets = lib.attrsets.mapAttrs' mapPeer wg0Peers; peerSecretsList = map peerToSecretAttrs pskEnabledPeers;
peerSecrets = builtins.listToAttrs peerSecretsList;
in in
{ {
wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age; wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
} // peerSecrets; } // peerSecrets;
systemd.network.netdevs = let systemd.network.netdevs = {
secrets = config.secrix.services.systemd-networkd.secrets;
in
{
"10-wg0" = { "10-wg0" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "wg0"; Name = "wg0";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = secrets.wg0-private-key.decrypted.path; PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path;
ListenPort = 18596; ListenPort = 18596;
}; };
wireguardPeers = lib.attrsets.foldlAttrs (name: peer: acc: acc ++ [{ wireguardPeers = map (peer: {
AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs; AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs;
PublicKey = peer.publicKey; PublicKey = peer.publicKey;
PresharedKeyFile = if peer.pskEnabled then secrets."wg0-peer-${name}-psk".decrypted.path else null; PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
}]) [] wg0Peers; }) wg0Peers;
}; };
}; };
} }