vpn: enforce "id" restrictions
This commit is contained in:
parent
ce35330923
commit
66d5e204be
|
@ -11,13 +11,17 @@ let
|
||||||
vpnOpts = with lib; types.submodule {
|
vpnOpts = with lib; types.submodule {
|
||||||
options = {
|
options = {
|
||||||
id = mkOption {
|
id = mkOption {
|
||||||
type = types.int;
|
type = types.ints.between 1 99;
|
||||||
description = ''
|
description = ''
|
||||||
unique integer identifier for this VPN.
|
unique integer identifier for this VPN.
|
||||||
lower number = higher priority, in many senses.
|
lower number = higher priority, in many senses.
|
||||||
lowest number = default VPN to use when no other is specified, or when multiple are enabled in the same circumstance.
|
lowest number = default VPN to use when no other is specified, or when multiple are enabled in the same circumstance.
|
||||||
|
'';
|
||||||
safe values for this number: 1 < id < 100.
|
};
|
||||||
|
default = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
read-only value: set based on whichever VPN has the lowest id.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
endpoint = mkOption {
|
endpoint = mkOption {
|
||||||
|
@ -58,11 +62,21 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
default = builtins.all (other: config.id <= other.id) (builtins.attrValues cfg);
|
||||||
|
};
|
||||||
};
|
};
|
||||||
mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile }: let
|
mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, ... }: let
|
||||||
fwmark = id + 10000;
|
fwmark = id + 10000;
|
||||||
bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
|
bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
|
||||||
in {
|
in {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = (lib.count (c: c.id == id) (builtins.attrValues cfg)) == 1;
|
||||||
|
message = "multiple VPNs share id ${id}";
|
||||||
|
}
|
||||||
|
];
|
||||||
systemd.network.netdevs."98-${name}" = {
|
systemd.network.netdevs."98-${name}" = {
|
||||||
# see: `man 5 systemd.netdev`
|
# see: `man 5 systemd.netdev`
|
||||||
netdevConfig = {
|
netdevConfig = {
|
||||||
|
@ -198,6 +212,7 @@ in
|
||||||
config = let
|
config = let
|
||||||
configs = lib.mapAttrsToList mkVpnConfig cfg;
|
configs = lib.mapAttrsToList mkVpnConfig cfg;
|
||||||
take = f: {
|
take = f: {
|
||||||
|
assertions = f.assertions;
|
||||||
networking.firewall.checkReversePath = f.networking.firewall.checkReversePath;
|
networking.firewall.checkReversePath = f.networking.firewall.checkReversePath;
|
||||||
networking.localCommands = f.networking.localCommands;
|
networking.localCommands = f.networking.localCommands;
|
||||||
systemd.network = f.systemd.network;
|
systemd.network = f.systemd.network;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user