mirror of
https://github.com/mdlayher/homelab.git
synced 2024-12-14 11:47:32 +00:00
nixos/routnerr-3: remove wg0
This commit is contained in:
Matt Layher
parent
cad8c7ff6b
commit
d0cb631921
5 changed files with 0 additions and 123 deletions
|
|
@ -1,47 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.wireguard_exporter;
|
||||
configFile = pkgs.writeText "wireguard_exporter.toml" cfg.config;
|
||||
in {
|
||||
options.services.wireguard_exporter = {
|
||||
enable = mkEnableOption "WireGuard Prometheus exporter";
|
||||
|
||||
# TODO: nixify.
|
||||
config = mkOption {
|
||||
default = "";
|
||||
type = types.lines;
|
||||
description = "Peer mappings TOML configuration.";
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.wireguard_exporter;
|
||||
defaultText = "pkgs.wireguard_exporter";
|
||||
type = types.package;
|
||||
description = "wireguard_exporter package to use.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.wireguard_exporter = {
|
||||
description = "WireGuard Prometheus exporter";
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
PermissionsStartOnly = true;
|
||||
LimitNPROC = 512;
|
||||
LimitNOFILE = 1048576;
|
||||
CapabilityBoundingSet = "cap_net_admin";
|
||||
AmbientCapabilities = "cap_net_admin";
|
||||
NoNewPrivileges = true;
|
||||
DynamicUser = true;
|
||||
ExecStart = "${
|
||||
getBin cfg.package
|
||||
}/bin/wireguard_exporter -wireguard.peer-file=${configFile}";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
{ lib, buildGoModule, fetchFromGitHub }:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "wireguard_exporter";
|
||||
version = "0.1.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mdlayher";
|
||||
repo = "wireguard_exporter";
|
||||
rev = "v${version}";
|
||||
sha256 = "0mmrkdxh1q8n4zbj0gdx8qbrga78qg1zzyi71qk5ywl8vz0a05n0";
|
||||
};
|
||||
|
||||
vendorSha256 = "18jqgjxrmvni1h69lzgnrwjl6b59xyn4qb4rfsd4kmpmg40g85yh";
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "github.com/mdlayher/wireguard_exporter";
|
||||
description = "Prometheus exporter for WireGuard devices.";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ mdlayher ];
|
||||
};
|
||||
}
|
||||
|
|
@ -20,9 +20,6 @@ in {
|
|||
./coredns.nix
|
||||
./corerad.nix
|
||||
./caddy.nix
|
||||
|
||||
# Unstable or out-of-tree modules.
|
||||
./lib/modules/wireguard_exporter.nix
|
||||
];
|
||||
|
||||
# TODO: https://github.com/NixOS/nixos-hardware/pull/673
|
||||
|
|
@ -38,14 +35,6 @@ in {
|
|||
system.copySystemConfiguration = true;
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
# Overlays for unstable and out-of-tree packages.
|
||||
nixpkgs.overlays = [
|
||||
(_self: super: {
|
||||
wireguard_exporter =
|
||||
super.callPackage ./lib/pkgs/wireguard_exporter.nix { };
|
||||
})
|
||||
];
|
||||
|
||||
boot = {
|
||||
kernel = {
|
||||
sysctl = {
|
||||
|
|
@ -76,9 +65,6 @@ in {
|
|||
environment.systemPackages = with pkgs; [
|
||||
# Stable packages.
|
||||
bind
|
||||
|
||||
# Unstable and out-of-tree packages.
|
||||
wireguard_exporter
|
||||
];
|
||||
|
||||
services = {
|
||||
|
|
|
|||
|
|
@ -224,28 +224,6 @@ in {
|
|||
# Lab VLAN.
|
||||
netdevs."35-lab0" = vlanNetdev "lab0" 2;
|
||||
networks."35-lab0" = vlanNetwork "lab0" 2;
|
||||
|
||||
# WireGuard tunnel.
|
||||
netdevs."40-wg0" = {
|
||||
netdevConfig = {
|
||||
Name = "wg0";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = "/var/lib/wireguard/wg0.key";
|
||||
ListenPort = 51820;
|
||||
};
|
||||
wireguardPeers = lib.forEach vars.wireguard.peers (peer: {
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = peer.public_key;
|
||||
AllowedIPs = peer.allowed_ips;
|
||||
};
|
||||
});
|
||||
};
|
||||
networks."40-wg0" = {
|
||||
matchConfig.Name = "wg0";
|
||||
address = with vars.wireguard.subnet; [ ipv4 ipv6.gua ipv6.ula ipv6.lla ];
|
||||
};
|
||||
};
|
||||
|
||||
services.tailscale = {
|
||||
|
|
@ -258,20 +236,6 @@ in {
|
|||
|
||||
# Tailscale readiness and DNS tweaks.
|
||||
systemd.network.wait-online.ignoredInterfaces = [ "ts0" ];
|
||||
|
||||
systemd.services.tailscaled.after =
|
||||
[ "network-online.target" "systemd-resolved.service" ];
|
||||
|
||||
# Enable WireGuard Prometheus exporter and set up peer key/name mappings.
|
||||
# TODO: nixify the configuration.
|
||||
services.wireguard_exporter = {
|
||||
enable = true;
|
||||
config = ''
|
||||
${lib.concatMapStrings (peer: ''
|
||||
[[peer]]
|
||||
public_key = "${peer.public_key}"
|
||||
name = "${peer.name}"
|
||||
'') vars.wireguard.peers}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ let
|
|||
router = "41461";
|
||||
desktop = "41642";
|
||||
};
|
||||
wireguard = "51820";
|
||||
};
|
||||
|
||||
# Produces a CSV list of interface names.
|
||||
|
|
@ -31,12 +30,10 @@ let
|
|||
all_wans = "wan0, wan1";
|
||||
|
||||
# LAN interfaces, segmented into trusted, limited, and untrusted groups.
|
||||
metered_lans = with vars.interfaces; [ mgmt0 lan0 ];
|
||||
trusted_lans = with vars.interfaces; [
|
||||
mgmt0
|
||||
lan0
|
||||
lab0
|
||||
wg0
|
||||
{ name = "ts0"; }
|
||||
];
|
||||
limited_lans = with vars.interfaces; [ guest0 ];
|
||||
|
|
@ -124,7 +121,6 @@ in {
|
|||
# router UDP
|
||||
udp dport {
|
||||
${ports.tailscale.router},
|
||||
${ports.wireguard},
|
||||
} counter accept comment "router WAN UDP"
|
||||
|
||||
# router DHCPv6 client
|
||||
|
|
|
|||
Loading…
Reference in a new issue