pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #223749 from Alexis211/add-wgautomesh

wgautomesh: init at 0.1.0

authored by

Ryan Lahfa and committed by
GitHub 2fa5e844 a30c6c8e

+198
+7
maintainers/maintainer-list.nix
··· 9245 9245 githubId = 2057309; 9246 9246 name = "Sergey Sofeychuk"; 9247 9247 }; 9248 + lx = { 9249 + email = "alex@adnab.me"; 9250 + github = "Alexis211"; 9251 + githubId = 101484; 9252 + matrix = "@lx:deuxfleurs.fr"; 9253 + name = "Alex Auvolat"; 9254 + }; 9248 9255 lxea = { 9249 9256 email = "nix@amk.ie"; 9250 9257 github = "lxea";
+2
nixos/doc/manual/release-notes/rl-2305.section.md
··· 107 107 108 108 - [trurl](https://github.com/curl/trurl), a command line tool for URL parsing and manipulation. 109 109 110 + - [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable). 111 + 110 112 - [woodpecker-agents](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable). 111 113 112 114 - [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable).
+1
nixos/modules/module-list.nix
··· 1044 1044 ./services/networking/wg-netmanager.nix 1045 1045 ./services/networking/webhook.nix 1046 1046 ./services/networking/wg-quick.nix 1047 + ./services/networking/wgautomesh.nix 1047 1048 ./services/networking/wireguard.nix 1048 1049 ./services/networking/wpa_supplicant.nix 1049 1050 ./services/networking/wstunnel.nix
+161
nixos/modules/services/networking/wgautomesh.nix
··· 1 + { lib, config, pkgs, ... }: 2 + with lib; 3 + let 4 + cfg = config.services.wgautomesh; 5 + settingsFormat = pkgs.formats.toml { }; 6 + configFile = 7 + # Have to remove nulls manually as TOML generator will not just skip key 8 + # if value is null 9 + settingsFormat.generate "wgautomesh-config.toml" 10 + (filterAttrs (k: v: v != null) 11 + (mapAttrs 12 + (k: v: 13 + if k == "peers" 14 + then map (e: filterAttrs (k: v: v != null) e) v 15 + else v) 16 + cfg.settings)); 17 + runtimeConfigFile = 18 + if cfg.enableGossipEncryption 19 + then "/run/wgautomesh/wgautomesh.toml" 20 + else configFile; 21 + in 22 + { 23 + options.services.wgautomesh = { 24 + enable = mkEnableOption (mdDoc "the wgautomesh daemon"); 25 + logLevel = mkOption { 26 + type = types.enum [ "trace" "debug" "info" "warn" "error" ]; 27 + default = "info"; 28 + description = mdDoc "wgautomesh log level."; 29 + }; 30 + enableGossipEncryption = mkOption { 31 + type = types.bool; 32 + default = true; 33 + description = mdDoc "Enable encryption of gossip traffic."; 34 + }; 35 + gossipSecretFile = mkOption { 36 + type = types.path; 37 + description = mdDoc '' 38 + File containing the shared secret key to use for gossip encryption. 39 + Required if `enableGossipEncryption` is set. 40 + ''; 41 + }; 42 + enablePersistence = mkOption { 43 + type = types.bool; 44 + default = true; 45 + description = mdDoc "Enable persistence of Wireguard peer info between restarts."; 46 + }; 47 + openFirewall = mkOption { 48 + type = types.bool; 49 + default = true; 50 + description = mdDoc "Automatically open gossip port in firewall (recommended)."; 51 + }; 52 + settings = mkOption { 53 + type = types.submodule { 54 + freeformType = settingsFormat.type; 55 + options = { 56 + 57 + interface = mkOption { 58 + type = types.str; 59 + description = mdDoc '' 60 + Wireguard interface to manage (it is NOT created by wgautomesh, you 61 + should use another NixOS option to create it such as 62 + `networking.wireguard.interfaces.wg0 = {...};`). 63 + ''; 64 + example = "wg0"; 65 + }; 66 + gossip_port = mkOption { 67 + type = types.port; 68 + description = mdDoc '' 69 + wgautomesh gossip port, this MUST be the same number on all nodes in 70 + the wgautomesh network. 71 + ''; 72 + default = 1666; 73 + }; 74 + lan_discovery = mkOption { 75 + type = types.bool; 76 + default = true; 77 + description = mdDoc "Enable discovery of peers on the same LAN using UDP broadcast."; 78 + }; 79 + upnp_forward_external_port = mkOption { 80 + type = types.nullOr types.port; 81 + default = null; 82 + description = mdDoc '' 83 + Public port number to try to redirect to this machine's Wireguard 84 + daemon using UPnP IGD. 85 + ''; 86 + }; 87 + peers = mkOption { 88 + type = types.listOf (types.submodule { 89 + options = { 90 + pubkey = mkOption { 91 + type = types.str; 92 + description = mdDoc "Wireguard public key of this peer."; 93 + }; 94 + address = mkOption { 95 + type = types.str; 96 + description = mdDoc '' 97 + Wireguard address of this peer (a single IP address, multliple 98 + addresses or address ranges are not supported). 99 + ''; 100 + example = "10.0.0.42"; 101 + }; 102 + endpoint = mkOption { 103 + type = types.nullOr types.str; 104 + description = mdDoc '' 105 + Bootstrap endpoint for connecting to this Wireguard peer if no 106 + other address is known or none are working. 107 + ''; 108 + default = null; 109 + example = "wgnode.mydomain.example:51820"; 110 + }; 111 + }; 112 + }); 113 + default = [ ]; 114 + description = mdDoc "wgautomesh peer list."; 115 + }; 116 + }; 117 + 118 + }; 119 + default = { }; 120 + description = mdDoc "Configuration for wgautomesh."; 121 + }; 122 + }; 123 + 124 + config = mkIf cfg.enable { 125 + services.wgautomesh.settings = { 126 + gossip_secret_file = mkIf cfg.enableGossipEncryption "$CREDENTIALS_DIRECTORY/gossip_secret"; 127 + persist_file = mkIf cfg.enablePersistence "/var/lib/wgautomesh/state"; 128 + }; 129 + 130 + systemd.services.wgautomesh = { 131 + path = [ pkgs.wireguard-tools ]; 132 + environment = { RUST_LOG = "wgautomesh=${cfg.logLevel}"; }; 133 + description = "wgautomesh"; 134 + serviceConfig = { 135 + Type = "simple"; 136 + 137 + ExecStart = "${getExe pkgs.wgautomesh} ${runtimeConfigFile}"; 138 + Restart = "always"; 139 + RestartSec = "30"; 140 + LoadCredential = mkIf cfg.enableGossipEncryption [ "gossip_secret:${cfg.gossipSecretFile}" ]; 141 + 142 + ExecStartPre = mkIf cfg.enableGossipEncryption [ 143 + ''${pkgs.envsubst}/bin/envsubst \ 144 + -i ${configFile} \ 145 + -o ${runtimeConfigFile}'' 146 + ]; 147 + 148 + DynamicUser = true; 149 + StateDirectory = "wgautomesh"; 150 + StateDirectoryMode = "0700"; 151 + RuntimeDirectory = "wgautomesh"; 152 + AmbientCapabilities = "CAP_NET_ADMIN"; 153 + CapabilityBoundingSet = "CAP_NET_ADMIN"; 154 + }; 155 + wantedBy = [ "multi-user.target" ]; 156 + }; 157 + networking.firewall.allowedUDPPorts = 158 + mkIf cfg.openFirewall [ cfg.settings.gossip_port ]; 159 + }; 160 + } 161 +
+25
pkgs/tools/networking/wgautomesh/default.nix
··· 1 + { lib 2 + , fetchFromGitea 3 + , rustPlatform 4 + }: 5 + rustPlatform.buildRustPackage rec { 6 + pname = "wgautomesh"; 7 + version = "0.1.0"; 8 + 9 + src = fetchFromGitea { 10 + domain = "git.deuxfleurs.fr"; 11 + owner = "Deuxfleurs"; 12 + repo = "wgautomesh"; 13 + rev = "v${version}"; 14 + sha256 = "FiFEpYLSJg52EtBXaZ685ICbaIyY9URrDt0bS0HPi0Q="; 15 + }; 16 + 17 + cargoHash = "sha256-DGDVjQ4fr4/F1RE0qVc5CWcXrrCEswCF7rQQwlKzMPA="; 18 + 19 + meta = with lib; { 20 + description = "A simple utility to help connect wireguard nodes together in a full mesh topology"; 21 + homepage = "https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh"; 22 + license = licenses.agpl3Only; 23 + maintainers = [ maintainers.lx ]; 24 + }; 25 + }
+2
pkgs/top-level/all-packages.nix
··· 13465 13465 inherit (darwin.apple_sdk.frameworks) Security; 13466 13466 }; 13467 13467 13468 + wgautomesh = callPackage ../tools/networking/wgautomesh { }; 13469 + 13468 13470 woff2 = callPackage ../development/web/woff2 { }; 13469 13471 13470 13472 woodpecker-agent = callPackage ../development/tools/continuous-integration/woodpecker/agent.nix { };