yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

clanServices/wireguard: use clanLib.getPublicValue

Browse Source
This commit is contained in:
pinpox
2025-10-22 19:52:46 +02:00
parent dc0b7fc3bf
commit 0dd6c08e33
1 changed files with 70 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
clanServices/wireguard/default.nix
View File

@@ -54,7 +54,10 @@
- For other controllers: The controller's /56 subnet - For other controllers: The controller's /56 subnet
*/ */
{ ... }: {
clanLib,
...
}:
let let
# Shared module for extraHosts configuration # Shared module for extraHosts configuration
extraHostsModule = extraHostsModule =
@@ -74,10 +77,12 @@ let
controllerHosts = lib.mapAttrsToList ( controllerHosts = lib.mapAttrsToList (
name: _value: name: _value:
let let
prefix = builtins.readFile ( prefix = clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${name}/wireguard-network-${instanceName}/prefix/value" machine = name;
); generator = "wireguard-network-${instanceName}";
file = "prefix";
};
# Controller IP is always ::1 in their subnet # Controller IP is always ::1 in their subnet
ip = prefix + "::1"; ip = prefix + "::1";
in in
@@ -88,20 +93,24 @@ let
peerHosts = lib.mapAttrsToList ( peerHosts = lib.mapAttrsToList (
peerName: peerValue: peerName: peerValue:
let let
peerSuffix = builtins.readFile ( peerSuffix = clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${peerName}/wireguard-network-${instanceName}/suffix/value" machine = peerName;
); generator = "wireguard-network-${instanceName}";
file = "suffix";
};
# Determine designated controller # Determine designated controller
designatedController = designatedController =
if (builtins.length (builtins.attrNames roles.controller.machines) == 1) then if (builtins.length (builtins.attrNames roles.controller.machines) == 1) then
(builtins.head (builtins.attrNames roles.controller.machines)) (builtins.head (builtins.attrNames roles.controller.machines))
else else
peerValue.settings.controller; peerValue.settings.controller;
controllerPrefix = builtins.readFile ( controllerPrefix = clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${designatedController}/wireguard-network-${instanceName}/prefix/value" machine = designatedController;
); generator = "wireguard-network-${instanceName}";
file = "prefix";
};
peerIP = controllerPrefix + ":" + peerSuffix; peerIP = controllerPrefix + ":" + peerSuffix;
in in
"${peerIP} ${peerName}.${domain}" "${peerIP} ${peerName}.${domain}"
@@ -220,10 +229,12 @@ in
lib.mapAttrsToList ( lib.mapAttrsToList (
ctrlName: _: ctrlName: _:
let let
controllerPrefix = builtins.readFile ( controllerPrefix = clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${ctrlName}/wireguard-network-${instanceName}/prefix/value" machine = ctrlName;
); generator = "wireguard-network-${instanceName}";
file = "prefix";
};
peerIP = controllerPrefix + ":" + peerSuffix; peerIP = controllerPrefix + ":" + peerSuffix;
in in
"${peerIP}/56" "${peerIP}/56"
@@ -234,20 +245,22 @@ in
# Connect to all controllers # Connect to all controllers
peers = lib.mapAttrsToList (name: value: { peers = lib.mapAttrsToList (name: value: {
publicKey = ( publicKey = clanLib.vars.getPublicValue {
builtins.readFile ( flake = config.clan.core.settings.directory;
config.clan.core.settings.directory machine = name;
+ "/vars/per-machine/${name}/wireguard-keys-${instanceName}/publickey/value" generator = "wireguard-keys-${instanceName}";
) file = "publickey";
); };
# Allow each controller's /56 subnet # Allow each controller's /56 subnet
allowedIPs = [ allowedIPs = [
"${ "${
builtins.readFile ( clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${name}/wireguard-network-${instanceName}/prefix/value" machine = name;
) generator = "wireguard-network-${instanceName}";
file = "prefix";
}
}::/56" }::/56"
]; ];
@@ -349,25 +362,29 @@ in
if allPeers ? ${name} then if allPeers ? ${name} then
# For peers: they now have our entire /56 subnet # For peers: they now have our entire /56 subnet
{ {
publicKey = ( publicKey = clanLib.vars.getPublicValue {
builtins.readFile ( flake = config.clan.core.settings.directory;
config.clan.core.settings.directory machine = name;
+ "/vars/per-machine/${name}/wireguard-keys-${instanceName}/publickey/value" generator = "wireguard-keys-${instanceName}";
) file = "publickey";
); };
# Allow the peer's /96 range in ALL controller subnets # Allow the peer's /96 range in ALL controller subnets
allowedIPs = lib.mapAttrsToList ( allowedIPs = lib.mapAttrsToList (
ctrlName: _: ctrlName: _:
let let
controllerPrefix = builtins.readFile ( controllerPrefix = clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${ctrlName}/wireguard-network-${instanceName}/prefix/value" machine = ctrlName;
); generator = "wireguard-network-${instanceName}";
peerSuffix = builtins.readFile ( file = "prefix";
config.clan.core.settings.directory };
+ "/vars/per-machine/${name}/wireguard-network-${instanceName}/suffix/value" peerSuffix = clanLib.vars.getPublicValue {
); flake = config.clan.core.settings.directory;
machine = name;
generator = "wireguard-network-${instanceName}";
file = "suffix";
};
in in
"${controllerPrefix}:${peerSuffix}/96" "${controllerPrefix}:${peerSuffix}/96"
) roles.controller.machines; ) roles.controller.machines;
@@ -377,19 +394,21 @@ in
else else
# For other controllers: use their /56 subnet # For other controllers: use their /56 subnet
{ {
publicKey = ( publicKey = clanLib.vars.getPublicValue {
builtins.readFile ( flake = config.clan.core.settings.directory;
config.clan.core.settings.directory machine = name;
+ "/vars/per-machine/${name}/wireguard-keys-${instanceName}/publickey/value" generator = "wireguard-keys-${instanceName}";
) file = "publickey";
); };
allowedIPs = [ allowedIPs = [
"${ "${
builtins.readFile ( clanLib.vars.getPublicValue {
config.clan.core.settings.directory flake = config.clan.core.settings.directory;
+ "/vars/per-machine/${name}/wireguard-network-${instanceName}/prefix/value" machine = name;
) generator = "wireguard-network-${instanceName}";
file = "prefix";
}
}::/56" }::/56"
]; ];