wireguard: make external peers connect to all controllers

2025-10-16 20:00:45 +07:00
parent c48be6b34f
commit 9e36b00b48
2 changed files with 72 additions and 18 deletions
--- a/clanServices/wireguard/default.nix
+++ b/clanServices/wireguard/default.nix
@@ -309,10 +309,12 @@ in
              List of external peer names that are not part of the clan.

              For ever entry here, a key pair for an external device will be generated.
-              Each external peer must be configured on exactly ONE controller.
              This key pair can then then be displayed via `clan vars get` and inserted into an external device, like a phone or laptop.

-              The names in this list must not collide with machine names in the clan.
+              Each external peer can connect to the mesh through one or more controllers.
+              To connect to multiple controllers, set `roles.controller.settings.externalPeers`.
+
+              The external peer names must not collide with machine names in the clan.
              The machines which are part of the clan will be able to resolve the external peers via their host names, but not vice versa.
              External peers can still reach machines from within the clan via their IPv6 addresses.
            '';
@@ -340,6 +342,10 @@ in
          let
            allOtherControllers = lib.filterAttrs (name: _v: name != machine.name) roles.controller.machines;
            allPeers = roles.peer.machines;
+            # Collect all external peers from all controllers
+            allExternalPeers = lib.unique (
+              lib.flatten (lib.mapAttrsToList (_: ctrl: ctrl.settings.externalPeers) roles.controller.machines)
+            );
          in
          {
            imports = [
@@ -447,7 +453,7 @@ in
                  persistentKeepalive = 25;
                }) allPeers)
                ++
-                  # External peers configuration
+                  # External peers configuration - includes all external peers from all controllers
                  (map (peer: {
                    publicKey = (
                      builtins.readFile (
@@ -474,7 +480,7 @@ in

                    # No endpoint for external peers, they initiate the connection
                    persistentKeepalive = 25;
-                  }) settings.externalPeers)
+                  }) allExternalPeers)
                ++
                  # Other controllers configuration
                  (lib.mapAttrsToList (name: value: {