nebula: use shared config from julm-nix

[sourcephile-nix.git] / nixos / modules / services / networking / wireguard.nix

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 3049bf160daf6c8015288ea17554aa670766639d..d58518c570ac2fd0345d89728a4067454125dab8 100644 (file)
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -88,7 +88,7 @@ let
   };
 
   keyToUnitName = replaceChars
-    [ "/" "-"    " "     "+"     "="      ]
+    [ "/" "-" " " "+" "=" ]
     [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
 
   peerUnitServiceName = interfaceName: publicKey: dynamicRefreshEnabled:
@@ -96,7 +96,7 @@ let
       unitName = keyToUnitName publicKey;
       refreshSuffix = optionalString dynamicRefreshEnabled "-refresh";
     in
-      "wireguard-${interfaceName}-peer-${unitName}${refreshSuffix}";
+    "wireguard-${interfaceName}-peer-${unitName}${refreshSuffix}";
 
   # See:
   # - systemd-analyze security wireguard-${iface}-peers-announcing@
@@ -121,8 +121,13 @@ let
     # Remove (likely) unused groups from the basic @system-service group
     SystemCallFilter = [
       "@system-service"
-      "~@aio" "~@chown" "~@keyring" "~@privileged"
-      "~@memlock" "~@resources" "~@setuid"
+      "~@aio"
+      "~@chown"
+      "~@keyring"
+      "~@privileged"
+      "~@memlock"
+      "~@resources"
+      "~@setuid"
     ];
     RestrictRealtime = true;
     LockPersonality = true;
@@ -136,7 +141,7 @@ let
     nameValuePair "wireguard-${name}-peers-announcing"
       {
         enable = values.peersAnnouncing.enable;
-        listenStreams = [(toString values.peersAnnouncing.listenPort)];
+        listenStreams = [ (toString values.peersAnnouncing.listenPort) ];
         socketConfig.Accept = true;
         # Basic firewalling restricting answers to peers
         # querying an internal IP address of the announcing peer.
@@ -171,7 +176,8 @@ let
         ];
       };
 
-  generateEndpointsUpdaterUnit = { interfaceName, interfaceCfg, peer }: let
+  generateEndpointsUpdaterUnit = { interfaceName, interfaceCfg, peer }:
+    let
       dynamicRefreshEnabled = peer.dynamicEndpointRefreshSeconds != 0;
       peerService = peerUnitServiceName interfaceName peer.publicKey dynamicRefreshEnabled;
     in
@@ -233,24 +239,29 @@ in
 {
 
   options.networking.wireguard.interfaces = mkOption {
-      type = with types; attrsOf (submodule interfaceOpts);
-    };
+    type = with types; attrsOf (submodule interfaceOpts);
+  };
 
-  config = mkIf cfg.enable (let
-    all_peers = flatten
-      (mapAttrsToList (interfaceName: interfaceCfg:
-        map (peer: { inherit interfaceName interfaceCfg peer;}) interfaceCfg.peers
-      ) cfg.interfaces);
-  in {
+  config = mkIf cfg.enable (
+    let
+      all_peers = flatten
+        (mapAttrsToList
+          (interfaceName: interfaceCfg:
+            map (peer: { inherit interfaceName interfaceCfg peer; }) interfaceCfg.peers
+          )
+          cfg.interfaces);
+    in
+    {
 
-    systemd.sockets =
-      mapAttrs' generatePeersAnnouncingSocket cfg.interfaces;
+      systemd.sockets =
+        mapAttrs' generatePeersAnnouncingSocket cfg.interfaces;
 
-    systemd.services =
-      mapAttrs' generatePeersAnnouncingUnit cfg.interfaces //
-      (listToAttrs (map generateEndpointsUpdaterUnit
-        (filter ({peer, ...}: peer.endpointsUpdater.enable) all_peers)));
+      systemd.services =
+        mapAttrs' generatePeersAnnouncingUnit cfg.interfaces //
+        (listToAttrs (map generateEndpointsUpdaterUnit
+          (filter ({ peer, ... }: peer.endpointsUpdater.enable) all_peers)));
 
-  });
+    }
+  );
 
 }