First wireguard config + wgautomesh

configuration.nix

@@ -12,6 +12,7 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./node.nix
+    ./wgautomesh.nix
   ];
 
   programs.nix-ld.enable = true; # for vscode server
@@ -114,12 +115,6 @@
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
 
-  # Open ports in the firewall.
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    22 # SSH
-  ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
 
   services.unbound = {
     enable = true;
@@ -140,7 +135,56 @@
     resolveLocalQueries = true;
   };
   services.resolved.enable = false;
+  
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.0.0.0/16" ];
+    listenPort = 19720;
+    privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
+    mtu = 1420;
+  };
 
+  filouterie.services.wgautomesh = {
+    enable = true;
+    interface = "wg0";
+    gossipPort = 1600;
+    peers = [
+      {
+        # Fifi
+        address = "10.0.1.1";
+	endpoint = "92.179.73.254:19720";
+	pubkey = "/TJVF6aLEvqngjd8Gq3QkH5esEQSIL+ryz/uKdJaZEQ=";
+      }
+    ];
+  };
+
+  system.activationScripts.generate_filouterie_wg_key = ''
+    if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
+      mkdir -p /var/lib/filouterie/wireguard-keys
+      (umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
+      echo "New Wireguard key was generated."
+      echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
+    fi
+  '';
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22 # SSH
+    ];
+    allowedUDPPorts = [
+      19720 #Wireguard
+    ];
+
+    extraCommands = ''
+      # Allow other nodes on VPN to access all ports
+      iptables -A INPUT -s 19720 -j ACCEPT
+    '';
+
+    extraStopCommands = ''
+      iptables -D INPUT -s 19720 -j ACCEPT
+    '';
+  };
   # Garbage collection to remove old NixOs iterations
   nix.gc = {
     automatic = true;

deploy_nix.sh

@@ -6,6 +6,7 @@ if [ -z "${NODE:-}" ]
     exit 1
 fi
 
-cp ./configuration.nix /etc/nixos/configuration.nix
+cp configuration.nix /etc/nixos/configuration.nix
-cp ./cluster/nodes/$NODE.nix /etc/nixos/node.nix
+cp cluster/nodes/$NODE.nix /etc/nixos/node.nix
+cp wgautomesh.nix /etc/nixos/wgautomesh.nix
 nixos-rebuild switch

wgautomesh.nix

@@ -0,0 +1,94 @@
+let
+  wgautomesh = builtins.fetchTarball {
+    url = "https://git.deuxfleurs.fr/attachments/ce203833-1ae7-43d4-9bf4-b49b560c9f4b";
+    sha256 = "sha256:1kc990s7xkwff53vs6c3slg7ljsyr9xz1i13j61ivfj6djyh8rmj";
+  };
+in
+
+{ config, lib, pkgs, ...}:
+with lib;
+let
+  cfg = config.filouterie.services.wgautomesh;
+in
+  with builtins;
+  {
+    options.filouterie.services.wgautomesh = {
+      enable = mkEnableOption "wgautomesh";
+      logLevel = mkOption {
+        type = types.enum [ "trace" "debug" "info" "warn" "error" ];
+	default = "info";
+	description = "wgautomesh log level (trace/debug/info/warn/error)";
+      };
+      interface = mkOption {
+        type = types.str;
+	description = "Wireguard interface to manage";
+      };
+      gossipPort = mkOption {
+        type = types.port;
+	description = "wgautomesh gossip port";
+      };
+      peers = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            pubkey = mkOption {
+              type = types.str;
+	      description = "Wireguard public key";
+	    };
+	    address = mkOption {
+              type = types.str;
+              description = "Wireguard peer address";
+	    };
+	    endpoint = mkOption {
+              type = types.nullOr types.str;
+	      description = "bootstrap endpoint";
+	    };
+	  };
+	});
+	description = "wgautomesh peer list";
+      };
+    };
+
+    config = mkIf cfg.enable (
+    let
+      peerDefs = map (peer:
+        let endpointDef = if peer.endpoint == null then ""
+	else ''endpoint = "${peer.endpoint}"'';
+	in
+	''
+	  [[peers]]
+	  pubkey = "${peer.pubkey}"
+	  address = "${peer.address}"
+	  ${endpointDef}
+	'') cfg.peers;
+      configFile = pkgs.writeText "wgautomesh.toml" ''
+        interface = "${cfg.interface}"
+        gossip_port = ${toString cfg.gossipPort}
+
+	${concatStringsSep "\n" peerDefs}
+	'';
+    in {
+      systemd.services.wgautomesh = {
+        enable = true;
+	path = [ pkgs.wireguard-tools ];
+	environment = {
+          RUST_LOG = "wgautomesh=${cfg.logLevel}";
+	};
+	description = "wgautomesh";
+	serviceConfig = {
+          Type = "simple";
+
+	  ExecStart = "${wgautomesh}/bin/wgautomesh ${configFile}";
+	  Restart = "always";
+	  RestartSec = "30";
+
+	  DynamicUser = true;
+	  User = "wgautomesh";
+	  StateDirectory = "wgautomesh";
+	  StateDirectoryMode = "0700";
+	  AmbientCapabilities = "CAP_NET_ADMIN";
+	  CapabilityBoundingSets = "CAP_NET_ADMIN";
+	};
+        wantedBy = [ "multi-user.target" ];
+      };
+    });
+  }