lucalise/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(wg): add mesh tunneling to devices & routers

Browse Source
This commit is contained in:
lucalise
2026-02-04 17:59:57 -08:00
parent 63f9d3418c
commit c85cf06186
4 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
nix/homelab/helm/helmfile.yaml
View File

@@ -45,6 +45,13 @@ releases:
values: values:
- values/gitea.yaml - values/gitea.yaml
- name: gitea-runners
namespace: git
chart: gitea-charts/actions
version: 0.0.2
values:
- values/gitea-runners.yaml
# Storage # Storage
- name: longhorn - name: longhorn
namespace: longhorn-system namespace: longhorn-system

5
nix/homelab/helm/values/gitea-runners.yaml Normal file
View File

@@ -0,0 +1,5 @@
enabled: true
statefulset:
nodeSelector:
kubernetes.io/hostname: rufus
giteaRootURL: https://git.lucalise.ca

1
nix/modules/default.nix
View File

@@ -22,5 +22,6 @@
./mounts.nix ./mounts.nix
./nfs-mesh.nix ./nfs-mesh.nix
./rust.nix ./rust.nix
./networking/wireguard-mesh.nix
]; ];
} }

77
nix/modules/networking/wireguard-mesh.nix Normal file
View File

@@ -0,0 +1,77 @@
{
pkgs,
lib,
config,
...
}:
let
meshHosts = {
kumatani = {
address = "kumatani";
publicKey = "pKkl30tba29FG86wuaC0KrpSHMr1tSOujikHFbx75BM=";
isRouter = false;
ip = "10.100.0.1";
};
usahara = {
address = "usahara";
publicKey = "4v7GyAIsKfwWjLMVB4eoosJDvLkIDHW0KsEYoQqSnh4=";
isRouter = false;
ip = "10.100.0.2";
};
tux = {
address = "tux";
publicKey = "TUX_PUBLIC_KEY_HERE=";
isRouter = false;
ip = "10.100.0.3";
};
oakbay-pfsense = {
endpoint = "oakbay.lucalise.ca:51822";
publicKey = "xOTPZBIC9m1BkkiLCOUTty3b7/NOvslteVQHzEFxqWQ=";
isRouter = true;
ip = "10.100.0.250";
routes = [
"192.168.15.0/27"
"192.168.20.0/26"
"192.168.27.0/24"
];
};
};
getEndpoint =
name: host:
if host.isRouter or false then "${host.endpoint}" else "${host.address}:${toString 51820}";
mkPeer = name: host: {
publicKey = host.publicKey;
allowedIPs = [ "${host.ip}/32" ] ++ (host.routes or [ ]);
endpoint = getEndpoint name host;
persistentKeepalive = 25;
dynamicEndpointRefreshSeconds = 300;
};
mkPeersFor =
selfName: lib.mapAttrsToList mkPeer (lib.filterAttrs (name: _: name != selfName) meshHosts);
selfConfig = meshHosts.${config.networking.hostName} or null;
in
{
config = lib.mkIf (selfConfig != null) {
networking.wireguard.interfaces = {
wg0 = {
privateKeyFile = "/etc/wireguard/private.key";
ips = [ "${selfConfig.ip}/32" ];
listenPort = 51820;
peers = mkPeersFor config.networking.hostName;
};
};
networking.firewall = {
allowedUDPPorts = [ 51820 ];
trustedInterfaces = [ "wg0" ];
};
systemd.tmpfiles.rules = [
"d /etc/wireguard 0700 root root -"
];
};
}