From d1df4951ad2f41b4fccdceea1853bda43ff241c2 Mon Sep 17 00:00:00 2001 From: xunuwu Date: Wed, 18 Jun 2025 22:11:07 +0200 Subject: [PATCH] move wireguard peers list to vars thing --- flake.nix | 6 +- hosts/rackserv/profiles/wireguard-server.nix | 110 ++++++++----------- vars/hosts/rackserv.nix | 43 ++++++++ 3 files changed, 94 insertions(+), 65 deletions(-) create mode 100644 vars/hosts/rackserv.nix diff --git a/flake.nix b/flake.nix index a8e522a..926fb7f 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,11 @@ }; systemProfiles = _load ./sys/profiles; homeProfiles = _load ./home; - vars = import ./vars; + vars = haumea.lib.load { + src = ./vars; + inputs.lib = nixpkgs.lib; + transformer = haumea.lib.transformers.liftDefault; + }; l = nixpkgs.lib; b = builtins; in diff --git a/hosts/rackserv/profiles/wireguard-server.nix b/hosts/rackserv/profiles/wireguard-server.nix index fc9fd81..38ac252 100644 --- a/hosts/rackserv/profiles/wireguard-server.nix +++ b/hosts/rackserv/profiles/wireguard-server.nix @@ -1,58 +1,51 @@ { - pkgs, config, lib, + vars, ... -}: { +}: let + peers = vars.hosts.rackserv.wireguardPeers; +in { networking.firewall = let - forwardPorts = { - "10.0.0.2" = - [24001 24002 24003] - |> map (n: { - protocols = ["tcp"]; - port = n; - }); - "10.0.0.3" = - lib.range 23000 23010 - |> map (n: { - protocols = ["tcp" "udp"]; - port = n; - }); - "10.0.0.4" = [ - { - protocols = ["tcp"]; - port = 22000; - } - ]; - }; externalIp = "172.245.52.19"; b = builtins; - portsList = b.attrValues forwardPorts |> b.concatLists; - portsAndIpsList = lib.mapAttrsToList (n: v: map (x: x // {destinationIp = n;}) v) forwardPorts |> b.concatLists; + isIpv4 = ip: b.match "([0-9]{1,3}\.){3}[0-9]{1,3}" ip != null; + forPortIps = f: + lib.concatStrings ( + b.concatMap ( + peer: + lib.cartesianProduct { + IP = peer.IPs; + port = peer.OpenPorts; + } + |> b.filter (x: isIpv4 x.IP) + |> map f + ) + peers + ); + getPortsWithProtocol = protocol: + b.concatMap (peer: + peer.OpenPorts + |> b.filter (portInfo: portInfo.protocol == protocol) + |> map (portInfo: portInfo.port)) + peers; in { - allowedTCPPorts = b.filter (x: b.elem "tcp" x.protocols) portsList |> map (x: x.port); - allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port)); - extraCommands = - portsAndIpsList - |> map (x: - x.protocols - |> map (protocol: '' - iptables -t nat -A PREROUTING -p ${protocol} -d ${externalIp} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp} - iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19 - '')) - |> b.concatLists - |> b.concatStringsSep "\n"; - - extraStopCommands = - portsAndIpsList - |> map (x: - x.protocols - |> map (protocol: '' - iptables -t nat -D PREROUTING -p ${protocol} -d ${externalIp} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp} || true - iptables -t nat -D POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19 - '')) - |> b.concatLists - |> b.concatStringsSep "\n"; + allowedTCPPorts = getPortsWithProtocol "tcp"; + allowedUDPPorts = getPortsWithProtocol "udp"; + extraCommands = forPortIps ({ + IP, + port, + }: '' + iptables -t nat -A PREROUTING -p ${port.protocol} -d ${externalIp} --dport ${toString port.port} -j DNAT --to-destination ${IP} + iptables -t nat -A POSTROUTING -p ${port.protocol} -d ${IP} --dport ${toString port.port} -j SNAT --to-source ${externalIp} + ''); + extraStopCommands = forPortIps ({ + IP, + port, + }: '' + iptables -t nat -D PREROUTING -p ${port.protocol} -d ${externalIp} --dport ${toString port.port} -j DNAT --to-destination ${IP} || true + iptables -t nat -D POSTROUTING -p ${port.protocol} -d ${IP} --dport ${toString port.port} -j SNAT --to-source ${externalIp} || true + ''); interfaces.wg0 = { allowedUDPPorts = [53]; @@ -72,23 +65,12 @@ PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path; RouteTable = "main"; }; - wireguardPeers = [ - { - # hopper - PublicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug="; - AllowedIPs = ["10.0.0.2" "fd12:1e51:ca23::2"]; - } - { - # nixdesk - PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q="; - AllowedIPs = ["10.0.0.3" "fd12:1e51:ca23::3"]; - } - { - # alka - PublicKey = "Q90dKQtQTu8RLgkPau7/Y5fY3PVstP0bL6ey3zrdS18="; - AllowedIPs = ["10.0.0.4" "fd12:1e51:ca23::3"]; - } - ]; + wireguardPeers = + map (peer: { + inherit (peer) PublicKey; + AllowedIPs = peer.IPs; + }) + peers; }; }; diff --git a/vars/hosts/rackserv.nix b/vars/hosts/rackserv.nix new file mode 100644 index 0000000..40f6781 --- /dev/null +++ b/vars/hosts/rackserv.nix @@ -0,0 +1,43 @@ +{lib, ...}: { + wireguardPeers = [ + { + # hopper + IPs = ["10.0.0.2" "fd12:1e51:ca23::2"]; + PublicKey = ["P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug="]; + OpenPorts = + [24001 24002 24003] + |> map (port: { + inherit port; + protocol = "tcp"; + }); + } + { + # nixdesk + IPs = ["10.0.0.3" "fd12:1e51:ca23::3"]; + PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q="; + OpenPorts = + lib.range 23000 23010 + |> builtins.concatMap (port: [ + { + inherit port; + protocol = "tcp"; + } + { + inherit port; + protocol = "udp"; + } + ]); + } + { + # alka + IPs = ["10.0.0.4" "fd12:1e51:ca23::3"]; + PublicKey = "Q90dKQtQTu8RLgkPau7/Y5fY3PVstP0bL6ey3zrdS18="; + OpenPorts = [ + { + protocol = "tcp"; + port = 22000; + } + ]; + } + ]; +}