ryan
/
wirenix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

The big bugfix commit

Browse Source
release
Matthew Salerno 1 year ago
parent bd9c2b14e5
commit 6a82d57a8d
7 changed files with 47 additions and 29 deletions
Show Stats Download Patch File Download Diff File

10
README.md
Unescape Escape View File

@ -51,6 +51,16 @@ type subnet = {
}; };
``` ```
! WARNING ! If your subnet name has a ".", the wireguard connection's name will
be everything preceding the ".". This is because there is a hard limit of 15
characters for wireguard connection names. For example, if your subnet is named
"myVPN.mydomain.com" (18 characters), the wireguard connection will be named
"myVPN". This is useful because the longer name will still be used to generate
a unique ip and in the hosts file, just not for the netdev name. This
unfortunately means that you cannot share subdomains across different domain
on the same machine. A workaround is to use dashes if your FQDN is under 15
characters.
## Group: ## Group:
```typescript ```typescript
type group = { type group = {

23
configurers/networkd.nix
Unescape Escape View File

@ -3,7 +3,7 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at https://mozilla.org/MPL/2.0/. * file, You can obtain one at https://mozilla.org/MPL/2.0/.
*/ */
{lib, ...}@inputs: keyProviders: intermediateConfig: peerName: {lib, ...}@inputs: keyProviders: intermediateConfig: localPeerName:
with lib.trivial; with lib.trivial;
with lib.attrsets; with lib.attrsets;
with lib.lists; with lib.lists;
@ -11,31 +11,32 @@ with lib;
with builtins; with builtins;
with import ../lib.nix; with import ../lib.nix;
let let
thisPeer = intermediateConfig.peers."${peerName}"; thisPeer = intermediateConfig.peers."${localPeerName}";
# these aren't really important, I just wanted to reverse the argument order # these aren't really important, I just wanted to reverse the argument order
forEachAttr' = flip mapAttrs'; forEachAttr' = flip mapAttrs';
forEachAttrToList = flip mapAttrsToList; forEachAttrToList = flip mapAttrsToList;
shortName = fqdn: head (strings.splitString "." fqdn);
in in
with getKeyProviderFuncs keyProviders inputs intermediateConfig peerName; with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName;
{ {
networking.extraHosts = concatStringsSep "\n" (concatLists ( concatLists (forEachAttrToList thisPeer.subnetConnections (subnetName: subnetConnection: networking.extraHosts = concatStringsSep "\n" (concatLists ( concatLists (forEachAttrToList thisPeer.subnetConnections (subnetName: subnetConnection:
forEachAttrToList subnetConnection.peerConnections (otherPeerName: peerConnection: forEach peerConnection.ipAddresses (ip: "${strings.removeSuffix "/64" ip} ${otherPeerName}.${subnetName}")) forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: forEach peerConnection.ipAddresses (ip: "${strings.removeSuffix "/64" ip} ${remotePeerName}.${subnetName}"))
)))); ))));
systemd.network = { systemd.network = {
netdevs = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "50-wn-${subnetName}" { netdevs = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "50-${shortName subnetName}" {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "wn-${subnetName}"; Name = "${shortName subnetName}";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = getPrivKeyFile; PrivateKeyFile = getPrivKeyFile;
ListenPort = subnetConnection.listenPort; ListenPort = subnetConnection.listenPort;
}; };
wireguardPeers = forEachAttrToList subnetConnection.peerConnections (otherPeerName: peerConnection: { wireguardPeers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: {
wireguardPeerConfig = { wireguardPeerConfig = {
Endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}"; Endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}";
PublicKey = getPeerPubKey otherPeerName; PublicKey = getPeerPubKey remotePeerName;
AllowedIPs = peerConnection.ipAddresses; AllowedIPs = map (ip: cidr2ip ip + "/128") peerConnection.ipAddresses;
PresharedKeyFile = getSubnetPSKFile subnetName; PresharedKeyFile = getSubnetPSKFile subnetName;
}; };
} }
@ -44,8 +45,8 @@ with getKeyProviderFuncs keyProviders inputs intermediateConfig peerName;
// (warnIf (peerConnection.endpoint ? dynamicEndpointRefreshRestartSeconds) "dynamicEndpointRefreshRestartSeconds not supported for networkd" {}) // (warnIf (peerConnection.endpoint ? dynamicEndpointRefreshRestartSeconds) "dynamicEndpointRefreshRestartSeconds not supported for networkd" {})
); );
}); });
networks = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "${subnetName}" { networks = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "50-${shortName subnetName}" {
matchConfig.Name = "wn-${subnetName}"; matchConfig.Name = "${shortName subnetName}";
address = subnetConnection.ipAddresses; address = subnetConnection.ipAddresses;
}); });
}; };

18
configurers/static.nix
Unescape Escape View File

@ -3,7 +3,7 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at https://mozilla.org/MPL/2.0/. * file, You can obtain one at https://mozilla.org/MPL/2.0/.
*/ */
{lib, ...}@inputs: keyProviders: intermediateConfig: peerName: {lib, ...}@inputs: keyProviders: intermediateConfig: localPeerName:
with lib.trivial; with lib.trivial;
with lib.attrsets; with lib.attrsets;
with lib.lists; with lib.lists;
@ -11,28 +11,28 @@ with lib;
with builtins; with builtins;
with import ../lib.nix; with import ../lib.nix;
let let
thisPeer = intermediateConfig.peers."${peerName}"; thisPeer = intermediateConfig.peers."${localPeerName}";
# these aren't really important, I just wanted to reverse the argument order # these aren't really important, I just wanted to reverse the argument order
forEachAttr' = flip mapAttrs'; forEachAttr' = flip mapAttrs';
forEachAttrToList = flip mapAttrsToList; forEachAttrToList = flip mapAttrsToList;
in in
with getKeyProviderFuncs keyProviders inputs intermediateConfig peerName; with getKeyProviderFuncs keyProviders inputs intermediateConfig localPeerName;
{ {
networking.extraHosts = concatStringsSep "\n" (concatLists ( concatLists (forEachAttrToList thisPeer.subnetConnections (subnetName: subnetConnection: networking.extraHosts = concatStringsSep "\n" (concatLists ( concatLists (forEachAttrToList thisPeer.subnetConnections (subnetName: subnetConnection:
forEachAttrToList subnetConnection.peerConnections (otherPeerName: peerConnection: forEach peerConnection.ipAddresses (ip: "${strings.removeSuffix "/64" ip} ${otherPeerName}.${subnetName}")) forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection: forEach peerConnection.ipAddresses (ip: "${strings.removeSuffix "/64" ip} ${remotePeerName}.${subnetName}"))
)))); ))));
networking.wireguard = { networking.wireguard = {
interfaces = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "wn-${subnetName}" interfaces = forEachAttr' thisPeer.subnetConnections (subnetName: subnetConnection: nameValuePair "${head (strings.splitString "." subnetName)}"
{ {
ips = subnetConnection.ipAddresses; ips = subnetConnection.ipAddresses;
listenPort = subnetConnection.listenPort; listenPort = subnetConnection.listenPort;
privateKeyFile = getPrivKeyFile; privateKeyFile = getPrivKeyFile;
peers = forEachAttrToList subnetConnection.peerConnections (otherPeerName: peerConnection: peers = forEachAttrToList subnetConnection.peerConnections (remotePeerName: peerConnection:
{ {
name = otherPeerName; name = remotePeerName;
publicKey = getPeerPubKey otherPeerName; publicKey = getPeerPubKey remotePeerName;
presharedKeyFile = getSubnetPSKFile subnetName; presharedKeyFile = getSubnetPSKFile subnetName;
allowedIPs = peerConnection.ipAddresses; allowedIPs = map (ip: cidr2ip ip + "/128") peerConnection.ipAddresses;
endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}"; endpoint = "${peerConnection.endpoint.ip}:${builtins.toString peerConnection.endpoint.port}";
} }
// (mergeIf peerConnection.endpoint "persistentKeepalive") // (mergeIf peerConnection.endpoint "persistentKeepalive")

6
key-providers/acl.nix
Unescape Escape View File

@ -3,12 +3,12 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at https://mozilla.org/MPL/2.0/. * file, You can obtain one at https://mozilla.org/MPL/2.0/.
*/ */
{lib, ...}: intermediateConfig: peerName: {lib, ...}: intermediateConfig: localPeerName:
with import ../lib.nix; with import ../lib.nix;
with lib.attrsets; with lib.attrsets;
with builtins; with builtins;
{ {
getPeerPubKey = otherPeerName: attrByPath [otherPeerName "publicKey"] null intermediateConfig.peers; getPeerPubKey = remotePeerName: attrByPath [remotePeerName "publicKey"] null intermediateConfig.peers;
getPrivKeyFile = attrByPath [peerName "privateKeyFile"] null intermediateConfig.peers; getPrivKeyFile = attrByPath [localPeerName "privateKeyFile"] null intermediateConfig.peers;
getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets; getSubnetPSKFile = subnetName: attrByPath [subnetName "presharedKeyFile"] null intermediateConfig.subnets;
} }

18
key-providers/agenix-rekey.nix
Unescape Escape View File

@ -3,15 +3,18 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at https://mozilla.org/MPL/2.0/. * file, You can obtain one at https://mozilla.org/MPL/2.0/.
*/ */
{config, lib, ...}: intermediateConfig: peerName: {config, lib, ...}: intermediateConfig: localPeerName:
with (import ../lib.nix); with (import ../lib.nix);
with lib.attrsets; with lib.attrsets;
with builtins; with builtins;
{ {
config.age = { config.age = {
secrets = { secrets = {
"wirenix-peer-${peerName}" = { "wirenix-peer-${localPeerName}" = {
rekeyFile = config.wirenix.secretsDir + /wirenix-peer- + peerName + ".age"; owner = "root";
mode = "640";
group = if config.wirenix.configurer == "networkd" then "systemd-network" else "root";
rekeyFile = config.wirenix.secretsDir + /wirenix-peer- + localPeerName + ".age";
generator.script = {pkgs, file, ...}: '' generator.script = {pkgs, file, ...}: ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey) priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")} ${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
@ -20,14 +23,17 @@ with builtins;
}; };
} // } //
mapAttrs' (name: value: nameValuePair ("wirenix-subnet-${name}") { mapAttrs' (name: value: nameValuePair ("wirenix-subnet-${name}") {
owner = "root";
mode = "640";
group = if config.wirenix.configurer == "networkd" then "systemd-network" else "root";
rekeyFile = config.wirenix.secretsDir + /wirenix-subnet- + name + ".age"; rekeyFile = config.wirenix.secretsDir + /wirenix-subnet- + name + ".age";
generator.script = {pkgs, ...}: '' generator.script = {pkgs, ...}: ''
psk=$(${pkgs.wireguard-tools}/bin/wg genpsk) psk=$(${pkgs.wireguard-tools}/bin/wg genpsk)
echo "$psk" echo "$psk"
''; '';
}) intermediateConfig.peers."${peerName}".subnetConnections; }) intermediateConfig.peers."${localPeerName}".subnetConnections;
}; };
getPeerPubKey = otherPeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${peerName}.pub); getPeerPubKey = remotePeerName: builtins.readFile (config.wirenix.secretsDir + /wirenix-peer-${remotePeerName}.pub);
getPrivKeyFile = config.age.secrets."wirenix-peer-${peerName}".path; getPrivKeyFile = config.age.secrets."wirenix-peer-${localPeerName}".path;
getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path; getSubnetPSKFile = subnetName: config.age.secrets."wirenix-subnet-${subnetName}".path;
} }

1
lib.nix
Unescape Escape View File

@ -127,4 +127,5 @@ rec {
}; };
mergeIf = attr: key: if builtins.hasAttr key attr then {"${key}" = attr."${key}";} else {}; mergeIf = attr: key: if builtins.hasAttr key attr then {"${key}" = attr."${key}";} else {};
cidr2ip = cidr: head (filter (item: item != []) (split "/" cidr));
} }

0
net.nix
Unescape Escape View File

Write Preview
Loading…
Cancel
Save