From b8f5007dbcb0a9393016fec83a27b5a017327d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 9 Apr 2024 13:45:50 +0200 Subject: wireguard: drop dean as endpoint This doesn't work correctly because dean doesn't have public IP and thus can't be discovered easilly. --- nixos/modules/openvpn.nix | 21 +++++++++++++++++++-- nixos/modules/wireguad.nix | 39 +++++---------------------------------- 2 files changed, 24 insertions(+), 36 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/openvpn.nix b/nixos/modules/openvpn.nix index 789d430..6a21721 100644 --- a/nixos/modules/openvpn.nix +++ b/nixos/modules/openvpn.nix @@ -1,6 +1,7 @@ { config, lib, + pkgs, ... }: let inherit (lib) mkOption types mkIf; @@ -27,9 +28,25 @@ in { config = "config /run/secrets/old.ovpn"; }; elektroline = mkIf cnf.elektroline { - autoStart = false; config = "config /run/secrets/elektroline.ovpn"; - updateResolvConf = true; + up = '' + domain="" + dns=() + for optionname in ''${!foreign_option_*} ; do + read -r p1 p2 p3 <<<"''${!optionname}" + [[ "$p1" == "dhcp-option" ]] || continue + case "$p2" in + DNS) + dns+=("$p3") + ;; + DOMAIN) + domain="$p3" + ;; + esac + done + ${pkgs.systemd}/bin/resolvectl dns "$dev" "''${dns[@]}" + ${pkgs.systemd}/bin/resolvectl domain "$dev" "~$domain" + ''; }; }; }; diff --git a/nixos/modules/wireguad.nix b/nixos/modules/wireguad.nix index aad392a..eb25a6e 100644 --- a/nixos/modules/wireguad.nix +++ b/nixos/modules/wireguad.nix @@ -6,7 +6,7 @@ }: let inherit (lib) any all mkEnableOption mkIf mapAttrsToList optional optionals optionalAttrs filterAttrs; inherit (config.networking) hostName; - endpoints = ["lipwig" "spt-omnia" "adm-omnia" "dean"]; + endpoints = ["lipwig" "spt-omnia" "adm-omnia"]; is_endpoint = any (v: v == hostName) endpoints; in { options = { @@ -62,18 +62,6 @@ in { # } # // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); #} - { - wireguardPeerConfig = - { - AllowedIPs = [ - "${config.cynerd.hosts.wg.dean}/32" - "10.0.0.0/22" - "10.0.20.0/24" - ]; - PublicKey = config.secrets.wireguardPubs.dean; - } - // (optionalAttrs (!is_endpoint) {PersistentKeepalive = 25;}); - } ] ++ (optionals is_endpoint (mapAttrsToList (n: v: { wireguardPeerConfig = { @@ -87,9 +75,9 @@ in { networkConfig = { Address = "${config.cynerd.hosts.wg."${hostName}"}/24"; IPForward = is_endpoint; - DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"]; - DNSSEC = false; - Domains = mkIf (hostName != "dean") "~elektroline.cz"; + #DNS = mkIf (hostName != "dean") ["10.0.20.30" "10.0.20.31"]; + #DNSSEC = false; + #Domains = mkIf (hostName != "dean") "~elektroline.cz"; }; routes = (optional (hostName != "lipwig") { @@ -115,24 +103,7 @@ in { Destination = "10.8.3.0/24"; Metric = 2048; }; - }) - ++ (optionals (hostName != "dean") [ - # Elektroline - { - routeConfig = { - Gateway = config.cynerd.hosts.wg.dean; - Destination = "10.0.0.0/22"; - Metric = 2048; - }; - } - { - routeConfig = { - Gateway = config.cynerd.hosts.wg.dean; - Destination = "10.0.20.0/24"; - Metric = 2048; - }; - } - ]); + }); }; }; networking.firewall.allowedUDPPorts = [51820]; -- cgit v1.2.3