wireguard: drop dean as endpoint

This doesn't work correctly because dean doesn't have public IP and thus can't be discovered easilly.
author: Karel Kočí <cynerd@email.cz> 2024-04-09 13:45:50 +0200
committer: Karel Kočí <cynerd@email.cz> 2024-04-09 13:45:50 +0200
commit: b8f5007dbcb0a9393016fec83a27b5a017327d2b (patch)
tree: ae59b4a7c8aa901947984f75e71e75d453182718 /nixos
parent: dae967fb154468e90bbbaaf8a65bf13e8e8d1531 (diff)
download: nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.tar.gz
nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.tar.bz2
nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.zip
3 files changed, 24 insertions, 42 deletions
diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix
index c903794..adc9e87 100644
--- a/nixos/configurations/dean.nix
+++ b/nixos/configurations/dean.nix
@@ -16,11 +16,6 @@ in {
   networking = {
     useNetworkd = true;
     useDHCP = false;
-    nat = {
-      enable = true;
-      externalInterface = "brlan";
-      internalInterfaces = ["wg"];
-    };
   };
   systemd.network = {
     netdevs."brlab".netdevConfig = {
@@ -39,7 +34,6 @@ in {
         matchConfig.Name = "lan* end0";
         networkConfig.Bridge = "brlan";
       };
-      "wg".networkConfig.IPForward = mkForce "yes";
     };
     # TODO investigate why it doesn't work
     wait-online.enable = false;
diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix
index 789d430..6a21721 100644
--- a/nixos/modules/openvpn.nix
+++ b/nixos/modules/openvpn.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   inherit (lib) mkOption types mkIf;
@@ -27,9 +28,25 @@ in {
         config = "config /run/secrets/old.ovpn";
       };
       elektroline = mkIf cnf.elektroline {
-        autoStart = false;
         config = "config /run/secrets/elektroline.ovpn";
-        updateResolvConf = true;
+        up = ''
+          domain=""
+          dns=()
+          for optionname in ''${!foreign_option_*} ; do
+            read -r p1 p2 p3 <<<"''${!optionname}"
+            [[ "$p1" == "dhcp-option" ]] || continue
+            case "$p2" in
+              DNS)
+                dns+=("$p3")
+                ;;
+              DOMAIN)
+                domain="$p3"
+                ;;
+            esac
+          done
+          ${pkgs.systemd}/bin/resolvectl dns "$dev" "''${dns[@]}"
+          ${pkgs.systemd}/bin/resolvectl domain "$dev" "~$domain"
+        '';
       };
     };
   };
diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix
index aad392a..eb25a6e 100644
--- a/nixos/modules/wireguad.nix
+++ b/nixos/modules/wireguad.nix
@@ -6,7 +6,7 @@
 }: let
   inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs;
   inherit (config.networking) hostName;
-  endpoints = ["lipwig" "spt-omnia" "adm-omnia" "dean"];
+  endpoints = ["lipwig" "spt-omnia" "adm-omnia"];
   is_endpoint = any (v: v == hostName) endpoints;
 in {
   options = {
@@ -62,18 +62,6 @@ in {
             #    }
             #    // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
             #}
-            {
-              wireguardPeerConfig =
-                {
-                  AllowedIPs = [
-                    "${config.cynerd.hosts.wg.dean}/32"
-                    "10.0.0.0/22"
-                    "10.0.20.0/24"
-                  ];
-                  PublicKey = config.secrets.wireguardPubs.dean;
-                }
-                // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;});
-            }
           ]
           ++ (optionals is_endpoint (mapAttrsToList (n: v: {
             wireguardPeerConfig = {
@@ -87,9 +75,9 @@ in {
         networkConfig = {
           Address = "${config.cynerd.hosts.wg."${hostName}"}/24";
           IPForward = is_endpoint;
-          DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"];
-          DNSSEC = false;
-          Domains = mkIf (hostName != "dean") "~elektroline.cz";
+          #DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"];
+          #DNSSEC = false;
+          #Domains = mkIf (hostName != "dean") "~elektroline.cz";
         };
         routes =
           (optional (hostName != "lipwig") {
@@ -115,24 +103,7 @@ in {
               Destination = "10.8.3.0/24";
               Metric = 2048;
             };
-          })
-          ++ (optionals (hostName != "dean") [
-            # Elektroline
-            {
-              routeConfig = {
-                Gateway = config.cynerd.hosts.wg.dean;
-                Destination = "10.0.0.0/22";
-                Metric = 2048;
-              };
-            }
-            {
-              routeConfig = {
-                Gateway = config.cynerd.hosts.wg.dean;
-                Destination = "10.0.20.0/24";
-                Metric = 2048;
-              };
-            }
-          ]);
+          });
       };
     };
     networking.firewall.allowedUDPPorts = [51820];
author	Karel Kočí <cynerd@email.cz>	2024-04-09 13:45:50 +0200
committer	Karel Kočí <cynerd@email.cz>	2024-04-09 13:45:50 +0200
commit	b8f5007dbcb0a9393016fec83a27b5a017327d2b (patch)
tree	ae59b4a7c8aa901947984f75e71e75d453182718 /nixos
parent	dae967fb154468e90bbbaaf8a65bf13e8e8d1531 (diff)
download	nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.tar.gz nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.tar.bz2 nixos-personal-b8f5007dbcb0a9393016fec83a27b5a017327d2b.zip