ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

services: wireguard: do not hard-code 'eth0'

Browse source 
Instead make use of the newly introduce `networking.externalInterface`
option.
This commit is contained in:
Bruno BELANYI 2021-02-18 00:10:45 +00:00
parent e74e46a0e6
commit 53b0e0a1c8
1 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
services/wireguard.nix
View file

@ -10,6 +10,8 @@ let
peers = config.my.secrets.wireguard.peers; peers = config.my.secrets.wireguard.peers;
thisPeer = peers."${hostName}"; thisPeer = peers."${hostName}";
otherPeers = lib.filterAttrs (name: _: name != hostName) peers; otherPeers = lib.filterAttrs (name: _: name != hostName) peers;
extIface = config.my.networking.externalInterface;
in in
{ {
options.my.services.wireguard = with lib; { options.my.services.wireguard = with lib; {
@ -96,25 +98,24 @@ in
otherPeers; otherPeers;
} // lib.optionalAttrs (thisPeer ? externalIp) { } // lib.optionalAttrs (thisPeer ? externalIp) {
# Setup forwarding on server # Setup forwarding on server
# FIXME: 'eth0' should not hard-coded
postUp = with cfg.net; '' postUp = with cfg.net; ''
${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.iface} -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o ${extIface} -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i ${cfg.iface} -j ACCEPT ${pkgs.iptables}/bin/ip6tables -A FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o ${extIface} -j MASQUERADE
''; '';
preDown = with cfg.net; '' preDown = with cfg.net; ''
${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.iface} -j ACCEPT ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o ${extIface} -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i ${cfg.iface} -j ACCEPT ${pkgs.iptables}/bin/ip6tables -D FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o ${extIface} -j MASQUERADE
''; '';
}; };
nat = lib.optionalAttrs (thisPeer ? externalIp) { nat = lib.optionalAttrs (thisPeer ? externalIp) {
enable = true; enable = true;
externalInterface = "eth0"; # FIXME: should not hard-coded externalInterface = extIface;
internalInterfaces = [ cfg.iface ]; internalInterfaces = [ cfg.iface ];
}; };