colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/netns: make the wg port optional

Browse Source
This commit is contained in:
Colin
2024-12-03 04:23:53 +00:00
parent 770928357e
commit 08c5f5661f
1 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
modules/netns.nix
View File

@@ -31,7 +31,12 @@ let
''; '';
}; };
wg.port = mkOption { wg.port = mkOption {
type = types.port; type = types.nullOr types.port;
default = null;
description = ''
fixed port to listen to,
or null to listen on a random unused port.
'';
}; };
wg.privateKeyFile = mkOption { wg.privateKeyFile = mkOption {
type = types.path; type = types.path;
@@ -179,9 +184,11 @@ let
script = '' script = ''
${ip} link add wg-${name} type wireguard ${ip} link add wg-${name} type wireguard
# listen on a public port. the other end of the tunnel doesn't send keepalives ${lib.optionalString (wg.port != null) ''
# so i *hope* setting to a fixed port, which is opened in `sane.ports.ports`, make the tunnel more robust # listen on a public port. the other end of the tunnel doesn't send keepalives
${wg'} set wg-${name} listen-port ${builtins.toString wg.port} # so i *hope* setting to a fixed port, which is opened in `sane.ports.ports`, makes the tunnel more robust
${wg'} set wg-${name} listen-port ${builtins.toString wg.port}
''}
# resolve the endpoint *now*, from a namespace which can do DNS lookups, before moving it into its destination netns # resolve the endpoint *now*, from a namespace which can do DNS lookups, before moving it into its destination netns
# at this point, our wg device can neither send nor receive traffic, because we haven't given it a private key. # at this point, our wg device can neither send nor receive traffic, because we haven't given it a private key.
@@ -218,12 +225,14 @@ let
]; ];
}; };
sane.ports.ports."${builtins.toString wg.port}" = { sane.ports.ports = lib.optionalAttrs (wg.port != null) {
protocol = [ "udp" ]; "${builtins.toString wg.port}" = {
visibleTo.lan = true; protocol = [ "udp" ];
visibleTo.wan = true; visibleTo.lan = true;
# visibleTo.doof = true; visibleTo.wan = true;
description = "colin-wireguard-${name}"; # visibleTo.doof = true;
description = "colin-wireguard-${name}";
};
}; };
# for some reason network-pre doesn't actually get run before network.target by default?? # for some reason network-pre doesn't actually get run before network.target by default??