nixos/lib/vargen: WIP WireGuard support

Signed-off-by: Matt Layher <mdlayher@gmail.com>
2024-12-14 11:47:32 +00:00 · 2020-05-29 17:00:30 -04:00 · 2020-05-29 17:00:30 -04:00 · 0cecbd7913
commit 0cecbd7913
parent 6d343cab9d
4 changed files with 103 additions and 31 deletions
--- a/nixos/lib/vargen/main.go
+++ b/nixos/lib/vargen/main.go
@ -37,6 +37,7 @@ func main() {
 		lan0   = newSubnet("lan0", 10)
 		iot0   = newSubnet("iot0", 66)
 		tengb0 = newSubnet("tengb0", 100)
+		wg0    = newSubnet("wg0", 20)

 		server = newHost(
 			"servnerr-3",
@ -46,6 +47,13 @@ func main() {
 		)
 	)

+	wg := wireguard{
+		Name:   "wg0",
+		Subnet: wg0,
+	}
+	wg.addPeer("mdlayher-fastly", "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8=")
+	wg.addPeer("nerr-3", "UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA=")
+
 	// Set up the output structure and create host/infra records.
 	out := output{
 		// TODO: this is a hack, we should make a Service type or similar.
@ -100,6 +108,7 @@ func main() {
 				),
 			},
 		},
+		WireGuard: wg,
 	}

 	// Attach interface definitions from subnet definitions.
@ -109,7 +118,7 @@ func main() {
 	out.addInterface("iot0", iot0)
 	out.addInterface("lab0", newSubnet("lab0", 2))
 	out.addInterface("tengb0", tengb0)
-	out.addInterface("wg0", newSubnet("wg0", 20))
+	out.addInterface("wg0", wg0)

 	// TODO: wan0 is a special case but should probably live in its own
 	// section as it has different rules.
@ -146,6 +155,7 @@ type output struct {
 	ServerIPv6 netaddr.IP       `json:"server_ipv6"`
 	Hosts      hosts            `json:"hosts"`
 	Interfaces map[string]iface `json:"interfaces"`
+	WireGuard  wireguard        `json:"wireguard"`
 }

 type hosts struct {
@ -265,6 +275,49 @@ type ipv6Prefixes struct {
 	LLA netaddr.IPPrefix `json:"lla"`
 }

+type wireguard struct {
+	Name   string   `json:"name"`
+	Subnet subnet   `json:"subnet"`
+	Peers  []wgPeer `json:"peers"`
+
+	idx int
+}
+
+func (wg *wireguard) addPeer(name, publicKey string) {
+	defer func() { wg.idx++ }()
+
+	const offset = 10
+
+	var ips []string
+	for _, ipp := range []netaddr.IPPrefix{
+		wg.Subnet.IPv4,
+		wg.Subnet.IPv6.GUA,
+		wg.Subnet.IPv6.ULA,
+		wg.Subnet.IPv6.LLA,
+	} {
+		// Router always has a .1 or ::1 suffix.
+		arr := ipp.IP.As16()
+		arr[15] = byte(offset + wg.idx)
+
+		ips = append(ips, netaddr.IPPrefix{
+			IP:   netaddr.IPFrom16(arr),
+			Bits: ipp.Bits,
+		}.String())
+	}
+
+	wg.Peers = append(wg.Peers, wgPeer{
+		Name:       name,
+		PublicKey:  publicKey,
+		AllowedIPs: ips,
+	})
+}
+
+type wgPeer struct {
+	Name       string   `json:"name"`
+	PublicKey  string   `json:"public_key"`
+	AllowedIPs []string `json:"allowed_ips"`
+}
+
 func mustStdIP(ip net.IP) netaddr.IP {
 	out, ok := netaddr.FromStdIP(ip)
 	if !ok {
--- a/nixos/lib/vars.json
+++ b/nixos/lib/vars.json
@ -168,5 +168,39 @@
 				"lla": "fe80::1"
 			}
 		}
+	},
+	"wireguard": {
+		"name": "wg0",
+		"subnet": {
+			"name": "wg0",
+			"ipv4": "192.168.20.0/24",
+			"ipv6": {
+				"gua": "2600:6c4a:7880:3220::/64",
+				"ula": "fd9e:1a04:f01d:20::/64",
+				"lla": "fe80::/64"
+			}
+		},
+		"peers": [
+			{
+				"name": "mdlayher-fastly",
+				"public_key": "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8=",
+				"allowed_ips": [
+					"192.168.20.10/24",
+					"2600:6c4a:7880:3220::a/64",
+					"fd9e:1a04:f01d:20::a/64",
+					"fe80::a/64"
+				]
+			},
+			{
+				"name": "nerr-3",
+				"public_key": "UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA=",
+				"allowed_ips": [
+					"192.168.20.11/24",
+					"2600:6c4a:7880:3220::b/64",
+					"fd9e:1a04:f01d:20::b/64",
+					"fe80::b/64"
+				]
+			}
+		]
 	}
 }
--- a/nixos/lib/vars.nix
+++ b/nixos/lib/vars.nix
@ -6,6 +6,7 @@ let
  server_ipv6 = gen.server_ipv6;
  hosts = gen.hosts;
  interfaces = gen.interfaces;
+  wireguard = gen.wireguard;

 in {
  inherit server_ipv4;
--- a/nixos/routnerr-2/networking.nix
+++ b/nixos/routnerr-2/networking.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:

 let
  vars = import ./lib/vars.nix;
@ -22,6 +22,11 @@ let
    tempAddress = "disabled";
  });

+  mkPeer = (peer: {
+    publicKey = peer.public_key;
+    allowedIPs = peer.allowed_ips;
+  });
+
 in {
  # LAN interface.
  networking = {
@ -80,35 +85,15 @@ in {
      };
    };

-    wireguard = with vars.interfaces.wg0; {
+    wireguard = with vars.wireguard; {
      enable = true;
      interfaces = {
        ${name} = {
          listenPort = 51820;
-          ips =
+          ips = with subnet;
            [ "${ipv4}/24" "${ipv6.gua}/64" "${ipv6.ula}/64" "${ipv6.lla}/64" ];
          privateKeyFile = "/var/lib/wireguard/${name}.key";
-          peers = [
-            # mdlayher-fastly
-            {
-              publicKey = "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8=";
-              allowedIPs = [
-                "192.168.20.0/24"
-                "2600:6c4a:7880:3220::/64"
-                "fd9e:1a04:f01d:20::/64"
-                "fe80::10/128"
-              ];
-            }
-            # nerr-3
-            {
-              publicKey = "UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA=";
-              allowedIPs = [
-                "192.168.20.0/24"
-                "2600:6c4a:7880:3220::/64"
-                "fd9e:1a04:f01d:20::/64"
-              ];
-            }
-          ];
+          peers = lib.forEach peers mkPeer;
        };
      };
    };
@ -122,13 +107,12 @@ in {
  services.wireguard_exporter = {
    enable = true;
    config = ''
+      ${
+        lib.concatMapStrings (peer: ''
      [[peer]]
-      public_key = "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8="
-      name = "mdlayher-fastly"
-
-      [[peer]]
-      public_key = "UvwWyMQ1ckLEG82Qdooyr0UzJhqOlzzcx90DXuwMTDA="
-      name = "nerr-3"
+      public_key = "${peer.public_key}"
+      name = "${peer.name}"
+      '') [ vars.wireguard.peers ]}
    '';
  };
 }