add wg-gen-conf-${hostName}

2023-10-07 11:28:12 +01:00 · 2023-10-07 11:28:12 +01:00 · 003708485c
parent 5e3b4d25a1
commit 003708485c
4 changed files with 36 additions and 2 deletions
--- a/data/internalCAIntermediate.crt
+++ b/data/internalCAIntermediate.crt
--- a/home/dev/all/extra.nix
+++ b/home/dev/all/extra.nix
@ -9,8 +9,8 @@
    file
    python3
    binutils # for strings
+    qrencode

-    # (pkgs.busybox.override {enableAppletSymlinks = false;})
    # This saves a rebuild of already cached busybox
    (pkgs.runCommand "busybox-no-applets" {} ''
      mkdir -p $out/bin
--- a/lib/internalWireGuardLib.nix
+++ b/lib/internalWireGuardLib.nix
@ -5,7 +5,7 @@
 }: let
  inherit (pkgs) writeShellScriptBin;
  inherit (lib.lists) forEach;
-  inherit (lib.strings) concatStringsSep;
+  inherit (lib.strings) concatStringsSep optionalString;
  inherit (builtins) attrNames;

  wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix;
@ -63,4 +63,37 @@ in rec {

    ${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE"
  ''));
+
+  genConfScript = systemHostName: (writeShellScriptBin "wg-gen-conf-${systemHostName}" (let
+    vault = "${pkgs.vault-bin}/bin/vault";
+    jq = "${pkgs.jq}/bin/jq";
+
+    currentHostConfig = wireguardHosts.${systemHostName};
+  in ''
+    set -euo pipefail
+    getPrivateKey() {
+      ${vault} kv get -format=json "/private-public-keys/wireguard/chaos-internal/$1" | ${jq} -r ".data.data.private" | tr -d '\n'
+    }
+
+    cat << EOF
+    [interface]
+    Address = ${currentHostConfig.ip}/24
+    ${optionalString (currentHostConfig ? "listenAddress") "ListenAddress = ${toString currentHostConfig.listenAddress}"}
+    PrivateKey = $(getPrivateKey ${systemHostName})
+
+
+    ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: (let
+      hostConfig = wireguardHosts.${hostName};
+    in ''
+      [Peer]
+      PublicKey = ${hostConfig.public}
+      ${optionalString (hostConfig ? "endpoint") "Endpoint = ${hostConfig.endpoint}"}
+      AllowedIPs = ${
+        if hostConfig ? "allowedIPs"
+        then concatStringsSep "," hostConfig.allowedIPs
+        else "${hostConfig.ip}/32"
+      }
+    '')))}
+    EOF
+  ''));
 }
--- a/outputs.nix
+++ b/outputs.nix
@ -85,6 +85,7 @@ in
            (mergeAttrsList (
              forEach hostsWithWireGuard (hostName: {
                "wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName;
+                "wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName;
              })
            ))
            {