From 23fdf2674740d188c6e67a2a65be725bbebf8a33 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Wed, 4 Aug 2021 17:41:54 -0400
Subject: fix config

---
 config/router.nix     | 10 +++++-----
 modules/mullvad.nix   | 39 ++++++++++++++++++++++++++++++++++++
 modules/nycmesh.nix   | 39 ++++++++++++++++++++++++++++++++++++
 modules/wireguard.nix | 55 ---------------------------------------------------
 4 files changed, 83 insertions(+), 60 deletions(-)
 create mode 100644 modules/mullvad.nix
 create mode 100644 modules/nycmesh.nix
 delete mode 100644 modules/wireguard.nix

diff --git a/config/router.nix b/config/router.nix
index db02093..df1f931 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -2,13 +2,13 @@
 let
   wan-dev = "bond0.10";
   lan-dev = "bond0";
-  wireguardPort = config.orbekk.wireguard.listenPort;
+  wireguardPorts =
+    [ config.orbekk.mullvad.listenPort config.orbekk.nycmesh.listenPort ];
   mullvadMark = 30;
   nycmeshMark = 32;
 in {
-  orbekk.wireguard.enable = true;
-  orbekk.wireguard.enableMullvad = true;
-  orbekk.wireguard.enableNycmesh = true;
+  orbekk.mullvad.enable = true;
+  orbekk.nycmesh.enable = true;
 
   services.tftpd.enable = true;
   services.openntpd.enable = true;
@@ -91,7 +91,7 @@ in {
             proto tcp dport ssh ACCEPT;
             proto (tcp udp) dport domain ACCEPT;
             proto tcp dport (http https) ACCEPT;
-            proto udp dport ${toString wireguardPort} ACCEPT;
+            proto udp dport (${lib.concatStringsSep " " (map toString wireguardPorts)}) ACCEPT;
           }
 
           interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" {
diff --git a/modules/mullvad.nix b/modules/mullvad.nix
new file mode 100644
index 0000000..436a3b2
--- /dev/null
+++ b/modules/mullvad.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.mullvad;
+in
+{
+  options = {
+    orbekk.mullvad = {
+      enable = lib.mkEnableOption "Enable VPN";
+
+      listenPort = lib.mkOption {
+        type = lib.types.port;
+        default = 40421;
+        description = "wireguard local port";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces.mullvad = {
+        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
+        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "ca10-wireguard.mullvad.net:51820";
+            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/nycmesh.nix b/modules/nycmesh.nix
new file mode 100644
index 0000000..e3a3f26
--- /dev/null
+++ b/modules/nycmesh.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.nycmesh;
+in
+{
+  options = {
+    orbekk.nycmesh = {
+      enable = lib.mkEnableOption "Enable VPN";
+
+      listenPort = lib.mkOption {
+        type = lib.types.port;
+        default = 40423;
+        description = "wireguard local port";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces.nycmesh = {
+        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
+        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "ca10-wireguard.nycmesh.net:51820";
+            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
deleted file mode 100644
index 0188d90..0000000
--- a/modules/wireguard.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.orbekk.wireguard;
-in
-{
-  options = {
-    orbekk.wireguard = {
-      enable = lib.mkEnableOption "Enable VPN";
-      enableMullvad = lib.mkEnableOption "Enable Mullvad";
-      enableNycmesh = lib.mkEnableOption "Enable NYC Mesh";
-
-      listenPort = lib.mkOption {
-        type = lib.types.port;
-        default = 40421;
-        description = "wireguard local port";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
-
-    networking.wireguard = {
-      enable = true;
-      interfaces.mullvad = lib.mkIf cfg.enableMullvad {
-        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
-        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
-        allowedIPsAsRoutes = false;
-        listenPort = cfg.listenPort;
-        peers = [
-          {
-            endpoint = "ca10-wireguard.mullvad.net:51820";
-            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
-            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          }
-        ];
-      };
-
-      interfaces.nycmesh = lib.mkIf cfg.enableNycmesh {
-        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
-        ips = [ "10.70.73.50/32" ];
-        allowedIPsAsRoutes = false;
-        listenPort = cfg.listenPort;
-        peers = [
-          {
-            endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822";
-            publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ=";
-            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          }
-        ];
-      };
-    };
-  };
-}
-- 
cgit v1.2.3