nixfiles/lib/internalWireGuardLib.nix

100 lines
3 KiB
Nix
Raw Normal View History

2023-09-18 03:56:58 +01:00
{
lib,
pkgs,
...
}: let
inherit (pkgs) writeShellScriptBin;
inherit (lib.lists) forEach;
2023-10-07 11:28:12 +01:00
inherit (lib.strings) concatStringsSep optionalString;
2023-09-18 03:56:58 +01:00
inherit (builtins) attrNames;
2023-09-20 18:17:50 +01:00
wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix;
2023-09-18 03:56:58 +01:00
wireguardHosts = wireguardData.hosts;
kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
in rec {
initAllScript = writeShellScriptBin "wg-keys-init-all" (let
vault = "${pkgs.vault-bin}/bin/vault";
in ''
PUBKEYS_FILE=$1
if [ -z "$PUBKEYS_FILE" ]; then
echo "please provide path to file with pubkeys"
exit 1
fi
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null
''))}
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
echo "Deploying keys for ${hostName}"
"${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE"
''))}
'');
genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
wg = "${pkgs.wireguard-tools}/bin/wg";
sponge = "${pkgs.moreutils}/bin/sponge";
in ''
PUBKEYS_FILE=$1
if [ -z "$PUBKEYS_FILE" ]; then
echo "please provide path to file with pubkeys"
exit 1
fi
PRIVATE=$(${wg} genkey)
PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
TMP_DIR=$(mktemp -d)
pushd "$TMP_DIR"
echo "{}" > currentHost.json
${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
cat currentHost.json | jq
popd
rm -rf "$TMP_DIR"
${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE"
''));
2023-10-07 11:28:12 +01:00
genConfScript = systemHostName: (writeShellScriptBin "wg-gen-conf-${systemHostName}" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
currentHostConfig = wireguardHosts.${systemHostName};
in ''
set -euo pipefail
getPrivateKey() {
${vault} kv get -format=json "/private-public-keys/wireguard/chaos-internal/$1" | ${jq} -r ".data.data.private" | tr -d '\n'
}
cat << EOF
[interface]
Address = ${currentHostConfig.ip}/24
${optionalString (currentHostConfig ? "listenAddress") "ListenAddress = ${toString currentHostConfig.listenAddress}"}
PrivateKey = $(getPrivateKey ${systemHostName})
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: (let
hostConfig = wireguardHosts.${hostName};
in ''
[Peer]
PublicKey = ${hostConfig.public}
${optionalString (hostConfig ? "endpoint") "Endpoint = ${hostConfig.endpoint}"}
AllowedIPs = ${
if hostConfig ? "allowedIPs"
then concatStringsSep "," hostConfig.allowedIPs
else "${hostConfig.ip}/32"
}
'')))}
EOF
''));
2023-09-18 03:56:58 +01:00
}