mirrors/mdlayher-homelab
1
0
Fork 0
mirror of https://github.com/mdlayher/homelab.git synced 2024-12-14 11:47:32 +00:00
Code Activity

nixos/routnerr-3: remove wg0

Browse source
This commit is contained in:
Matt Layher 2023-09-15 20:01:01 -04:00
parent cad8c7ff6b
commit d0cb631921
5 changed files with 0 additions and 123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
nixos/lib/modules/wireguard_exporter.nix
View file

@ -1,47 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.wireguard_exporter;
configFile = pkgs.writeText "wireguard_exporter.toml" cfg.config;
in {
options.services.wireguard_exporter = {
enable = mkEnableOption "WireGuard Prometheus exporter";
# TODO: nixify.
config = mkOption {
default = "";
type = types.lines;
description = "Peer mappings TOML configuration.";
};
package = mkOption {
default = pkgs.wireguard_exporter;
defaultText = "pkgs.wireguard_exporter";
type = types.package;
description = "wireguard_exporter package to use.";
};
};
config = mkIf cfg.enable {
systemd.services.wireguard_exporter = {
description = "WireGuard Prometheus exporter";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
PermissionsStartOnly = true;
LimitNPROC = 512;
LimitNOFILE = 1048576;
CapabilityBoundingSet = "cap_net_admin";
AmbientCapabilities = "cap_net_admin";
NoNewPrivileges = true;
DynamicUser = true;
ExecStart = "${
getBin cfg.package
}/bin/wireguard_exporter -wireguard.peer-file=${configFile}";
Restart = "on-failure";
};
};
};
}

22
nixos/lib/pkgs/wireguard_exporter.nix
View file

@ -1,22 +0,0 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "wireguard_exporter";
version = "0.1.2";
src = fetchFromGitHub {
owner = "mdlayher";
repo = "wireguard_exporter";
rev = "v${version}";
sha256 = "0mmrkdxh1q8n4zbj0gdx8qbrga78qg1zzyi71qk5ywl8vz0a05n0";
};
vendorSha256 = "18jqgjxrmvni1h69lzgnrwjl6b59xyn4qb4rfsd4kmpmg40g85yh";
meta = with lib; {
homepage = "github.com/mdlayher/wireguard_exporter";
description = "Prometheus exporter for WireGuard devices.";
license = licenses.mit;
maintainers = with maintainers; [ mdlayher ];
};
}

14
nixos/routnerr-3/configuration.nix
View file

@ -20,9 +20,6 @@ in {
./coredns.nix ./coredns.nix
./corerad.nix ./corerad.nix
./caddy.nix ./caddy.nix
# Unstable or out-of-tree modules.
./lib/modules/wireguard_exporter.nix
]; ];
# TODO: https://github.com/NixOS/nixos-hardware/pull/673 # TODO: https://github.com/NixOS/nixos-hardware/pull/673
@ -38,14 +35,6 @@ in {
system.copySystemConfiguration = true; system.copySystemConfiguration = true;
system.stateVersion = "23.05"; system.stateVersion = "23.05";
# Overlays for unstable and out-of-tree packages.
nixpkgs.overlays = [
(_self: super: {
wireguard_exporter =
super.callPackage ./lib/pkgs/wireguard_exporter.nix { };
})
];
boot = { boot = {
kernel = { kernel = {
sysctl = { sysctl = {
@ -76,9 +65,6 @@ in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Stable packages. # Stable packages.
bind bind
# Unstable and out-of-tree packages.
wireguard_exporter
]; ];
services = { services = {

36
nixos/routnerr-3/networking.nix
View file

@ -224,28 +224,6 @@ in {
# Lab VLAN. # Lab VLAN.
netdevs."35-lab0" = vlanNetdev "lab0" 2; netdevs."35-lab0" = vlanNetdev "lab0" 2;
networks."35-lab0" = vlanNetwork "lab0" 2; networks."35-lab0" = vlanNetwork "lab0" 2;
# WireGuard tunnel.
netdevs."40-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/wg0.key";
ListenPort = 51820;
};
wireguardPeers = lib.forEach vars.wireguard.peers (peer: {
wireguardPeerConfig = {
PublicKey = peer.public_key;
AllowedIPs = peer.allowed_ips;
};
});
};
networks."40-wg0" = {
matchConfig.Name = "wg0";
address = with vars.wireguard.subnet; [ ipv4 ipv6.gua ipv6.ula ipv6.lla ];
};
}; };
services.tailscale = { services.tailscale = {
@ -258,20 +236,6 @@ in {
# Tailscale readiness and DNS tweaks. # Tailscale readiness and DNS tweaks.
systemd.network.wait-online.ignoredInterfaces = [ "ts0" ]; systemd.network.wait-online.ignoredInterfaces = [ "ts0" ];
systemd.services.tailscaled.after = systemd.services.tailscaled.after =
[ "network-online.target" "systemd-resolved.service" ]; [ "network-online.target" "systemd-resolved.service" ];
# Enable WireGuard Prometheus exporter and set up peer key/name mappings.
# TODO: nixify the configuration.
services.wireguard_exporter = {
enable = true;
config = ''
${lib.concatMapStrings (peer: ''
[[peer]]
public_key = "${peer.public_key}"
name = "${peer.name}"
'') vars.wireguard.peers}
'';
};
} }

4
nixos/routnerr-3/nftables.nix
View file

@ -21,7 +21,6 @@ let
router = "41461"; router = "41461";
desktop = "41642"; desktop = "41642";
}; };
wireguard = "51820";
}; };
# Produces a CSV list of interface names. # Produces a CSV list of interface names.
@ -31,12 +30,10 @@ let
all_wans = "wan0, wan1"; all_wans = "wan0, wan1";
# LAN interfaces, segmented into trusted, limited, and untrusted groups. # LAN interfaces, segmented into trusted, limited, and untrusted groups.
metered_lans = with vars.interfaces; [ mgmt0 lan0 ];
trusted_lans = with vars.interfaces; [ trusted_lans = with vars.interfaces; [
mgmt0 mgmt0
lan0 lan0
lab0 lab0
wg0
{ name = "ts0"; } { name = "ts0"; }
]; ];
limited_lans = with vars.interfaces; [ guest0 ]; limited_lans = with vars.interfaces; [ guest0 ];
@ -124,7 +121,6 @@ in {
# router UDP # router UDP
udp dport { udp dport {
${ports.tailscale.router}, ${ports.tailscale.router},
${ports.wireguard},
} counter accept comment "router WAN UDP" } counter accept comment "router WAN UDP"
# router DHCPv6 client # router DHCPv6 client