konarak/sixnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update overall module structure, remove host-specific config files

Browse Source 
- update flake.nix to reflect new structure
- update modules/default.nix imports
- update modules/network.nix and wireguard.nix
- remove config/configuration.nix and hardware-configuration.nix
- remove modules/access.nix from this module's scope
This commit is contained in:
Konarak
2025-09-30 21:10:33 +05:30
parent a2d5333f01
commit 01a77e65a6
7 changed files with 204 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
modules/wireguard.nix
View File

@@ -12,7 +12,7 @@ let
serverAddress = mkOption {
type = types.str;
description =
"IPv6 address with CIDR prefix to bind WireGuard (e.g., 2001:db8::1/64).";
"IPv6 address/prefix to bind WireGuard (e.g., 2001:db8::1/64).";
};
serverPort = mkOption {
type = types.port;
@@ -20,19 +20,19 @@ let
};
clientAddress = mkOption {
type = types.str;
description = "Peer IPv6 address with CIDR (e.g., 2001:db8::2/128).";
description = "Peer IPv6 address/prefix (e.g., 2001:db8::2/128).";
};
clientSubnet = mkOption {
type = types.str;
description = "Peer subnet IPv6 CIDR (e.g., 2001:db8::/64).";
description = "Peer IPv6 subnet (e.g., 2001:db8::/64).";
};
serverPrivateKeyFile = mkOption {
type = types.str;
description = "Name of the sops secret containing server private key.";
type = types.path;
description = "Path to server private key file.";
};
clientPublicKeyFile = mkOption {
type = types.str;
description = "Name of the sops secret containing client public key.";
type = types.path;
description = "Path to client public key file.";
};
};
});
@@ -47,14 +47,14 @@ let
"Duplicate values found for '${name}': ${builtins.toString values}";
};
secretAssertions = lib.flatten (map (cfg: [
fileAssertions = lib.flatten (map (cfg: [
{
assertion = builtins.hasAttr cfg.serverPrivateKeyFile config.sops.secrets;
message = "Missing sops secret: ${cfg.serverPrivateKeyFile}";
assertion = cfg.serverPrivateKeyFile != null;
message = "serverPrivateKeyFile must be provided for interface ${cfg.interface}";
}
{
assertion = builtins.hasAttr cfg.clientPublicKeyFile config.sops.secrets;
message = "Missing sops secret: ${cfg.clientPublicKeyFile}";
assertion = cfg.clientPublicKeyFile != null;
message = "clientPublicKeyFile must be provided for interface ${cfg.interface}";
}
]) interfaces);
@@ -69,34 +69,28 @@ let
in {
options.wireguard.interfaces = mkOption {
type = wgConfigType;
default = [];
description = "List of WireGuard interface configurations.";
};
config = {
sops.secrets = let
def = {
owner = "systemd-network";
group = "systemd-network";
};
in lib.mkMerge (map (cfg: {
"${cfg.serverPrivateKeyFile}" = def;
"${cfg.clientPublicKeyFile}" = def;
}) interfaces);
assertions = lib.mkAfter (fileAssertions ++ uniquenessAssertions);
assertions = lib.mkAfter (secretAssertions ++ uniquenessAssertions);
systemd.network.enable = true;
systemd.network.netdevs = lib.mkMerge (map (cfg: {
"${cfg.interface}" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1412";
Name = cfg.interface;
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.${cfg.serverPrivateKeyFile}.path;
PrivateKeyFile = cfg.serverPrivateKeyFile;
ListenPort = cfg.serverPort;
};
wireguardPeers = [{
PublicKeyFile = config.sops.secrets.${cfg.clientPublicKeyFile}.path;
PublicKeyFile = cfg.clientPublicKeyFile;
AllowedIPs = [ cfg.clientAddress cfg.clientSubnet ];
}];
};
@@ -105,13 +99,11 @@ in {
systemd.network.networks = lib.mkMerge (map (cfg: {
"${cfg.interface}" = {
matchConfig = { Name = cfg.interface; };
networkConfig = { IPv6Forwarding = "yes"; };
address = [ cfg.serverAddress ];
routes = [
{
Destination = cfg.clientAddress;
Scope = "link";
}
{
Destination = cfg.clientSubnet;
Scope = "link";
@@ -119,5 +111,8 @@ in {
];
};
}) interfaces);
# Automatically open firewall ports for WireGuard
networking.firewall.allowedUDPPorts = map (cfg: cfg.serverPort) interfaces;
};
}