From d0cb631921d42209620d35bdbb34fb7c3fb1790b Mon Sep 17 00:00:00 2001 From: Matt Layher Date: Fri, 15 Sep 2023 20:01:01 -0400 Subject: [PATCH] nixos/routnerr-3: remove wg0 --- nixos/lib/modules/wireguard_exporter.nix | 47 ------------------------ nixos/lib/pkgs/wireguard_exporter.nix | 22 ----------- nixos/routnerr-3/configuration.nix | 14 ------- nixos/routnerr-3/networking.nix | 36 ------------------ nixos/routnerr-3/nftables.nix | 4 -- 5 files changed, 123 deletions(-) delete mode 100644 nixos/lib/modules/wireguard_exporter.nix delete mode 100644 nixos/lib/pkgs/wireguard_exporter.nix diff --git a/nixos/lib/modules/wireguard_exporter.nix b/nixos/lib/modules/wireguard_exporter.nix deleted file mode 100644 index a79f316..0000000 --- a/nixos/lib/modules/wireguard_exporter.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.wireguard_exporter; - configFile = pkgs.writeText "wireguard_exporter.toml" cfg.config; -in { - options.services.wireguard_exporter = { - enable = mkEnableOption "WireGuard Prometheus exporter"; - - # TODO: nixify. - config = mkOption { - default = ""; - type = types.lines; - description = "Peer mappings TOML configuration."; - }; - - package = mkOption { - default = pkgs.wireguard_exporter; - defaultText = "pkgs.wireguard_exporter"; - type = types.package; - description = "wireguard_exporter package to use."; - }; - }; - - config = mkIf cfg.enable { - systemd.services.wireguard_exporter = { - description = "WireGuard Prometheus exporter"; - after = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - PermissionsStartOnly = true; - LimitNPROC = 512; - LimitNOFILE = 1048576; - CapabilityBoundingSet = "cap_net_admin"; - AmbientCapabilities = "cap_net_admin"; - NoNewPrivileges = true; - DynamicUser = true; - ExecStart = "${ - getBin cfg.package - }/bin/wireguard_exporter -wireguard.peer-file=${configFile}"; - Restart = "on-failure"; - }; - }; - }; -} diff --git a/nixos/lib/pkgs/wireguard_exporter.nix b/nixos/lib/pkgs/wireguard_exporter.nix deleted file mode 100644 index e4ab0f4..0000000 --- a/nixos/lib/pkgs/wireguard_exporter.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, buildGoModule, fetchFromGitHub }: - -buildGoModule rec { - pname = "wireguard_exporter"; - version = "0.1.2"; - - src = fetchFromGitHub { - owner = "mdlayher"; - repo = "wireguard_exporter"; - rev = "v${version}"; - sha256 = "0mmrkdxh1q8n4zbj0gdx8qbrga78qg1zzyi71qk5ywl8vz0a05n0"; - }; - - vendorSha256 = "18jqgjxrmvni1h69lzgnrwjl6b59xyn4qb4rfsd4kmpmg40g85yh"; - - meta = with lib; { - homepage = "github.com/mdlayher/wireguard_exporter"; - description = "Prometheus exporter for WireGuard devices."; - license = licenses.mit; - maintainers = with maintainers; [ mdlayher ]; - }; -} diff --git a/nixos/routnerr-3/configuration.nix b/nixos/routnerr-3/configuration.nix index 260942a..ab418f8 100644 --- a/nixos/routnerr-3/configuration.nix +++ b/nixos/routnerr-3/configuration.nix @@ -20,9 +20,6 @@ in { ./coredns.nix ./corerad.nix ./caddy.nix - - # Unstable or out-of-tree modules. - ./lib/modules/wireguard_exporter.nix ]; # TODO: https://github.com/NixOS/nixos-hardware/pull/673 @@ -38,14 +35,6 @@ in { system.copySystemConfiguration = true; system.stateVersion = "23.05"; - # Overlays for unstable and out-of-tree packages. - nixpkgs.overlays = [ - (_self: super: { - wireguard_exporter = - super.callPackage ./lib/pkgs/wireguard_exporter.nix { }; - }) - ]; - boot = { kernel = { sysctl = { @@ -76,9 +65,6 @@ in { environment.systemPackages = with pkgs; [ # Stable packages. bind - - # Unstable and out-of-tree packages. - wireguard_exporter ]; services = { diff --git a/nixos/routnerr-3/networking.nix b/nixos/routnerr-3/networking.nix index 104d67a..f6a3c0e 100644 --- a/nixos/routnerr-3/networking.nix +++ b/nixos/routnerr-3/networking.nix @@ -224,28 +224,6 @@ in { # Lab VLAN. netdevs."35-lab0" = vlanNetdev "lab0" 2; networks."35-lab0" = vlanNetwork "lab0" 2; - - # WireGuard tunnel. - netdevs."40-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/var/lib/wireguard/wg0.key"; - ListenPort = 51820; - }; - wireguardPeers = lib.forEach vars.wireguard.peers (peer: { - wireguardPeerConfig = { - PublicKey = peer.public_key; - AllowedIPs = peer.allowed_ips; - }; - }); - }; - networks."40-wg0" = { - matchConfig.Name = "wg0"; - address = with vars.wireguard.subnet; [ ipv4 ipv6.gua ipv6.ula ipv6.lla ]; - }; }; services.tailscale = { @@ -258,20 +236,6 @@ in { # Tailscale readiness and DNS tweaks. systemd.network.wait-online.ignoredInterfaces = [ "ts0" ]; - systemd.services.tailscaled.after = [ "network-online.target" "systemd-resolved.service" ]; - - # Enable WireGuard Prometheus exporter and set up peer key/name mappings. - # TODO: nixify the configuration. - services.wireguard_exporter = { - enable = true; - config = '' - ${lib.concatMapStrings (peer: '' - [[peer]] - public_key = "${peer.public_key}" - name = "${peer.name}" - '') vars.wireguard.peers} - ''; - }; } diff --git a/nixos/routnerr-3/nftables.nix b/nixos/routnerr-3/nftables.nix index be1a7ae..7bc7282 100644 --- a/nixos/routnerr-3/nftables.nix +++ b/nixos/routnerr-3/nftables.nix @@ -21,7 +21,6 @@ let router = "41461"; desktop = "41642"; }; - wireguard = "51820"; }; # Produces a CSV list of interface names. @@ -31,12 +30,10 @@ let all_wans = "wan0, wan1"; # LAN interfaces, segmented into trusted, limited, and untrusted groups. - metered_lans = with vars.interfaces; [ mgmt0 lan0 ]; trusted_lans = with vars.interfaces; [ mgmt0 lan0 lab0 - wg0 { name = "ts0"; } ]; limited_lans = with vars.interfaces; [ guest0 ]; @@ -124,7 +121,6 @@ in { # router UDP udp dport { ${ports.tailscale.router}, - ${ports.wireguard}, } counter accept comment "router WAN UDP" # router DHCPv6 client