dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add wireguard watchdog

Browse source
This commit is contained in:
danny 2025-12-30 15:11:46 +08:00
parent b3c5ad2880
commit 27482b20d7
7 changed files with 137 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

5
system/dev/dn-lap/sops/sops-conf.nix
View file

@ -1,7 +1,2 @@
{
sops = {
secrets = {
"wireguard/wg0.conf" = { };
};
};
}

2
system/dev/dn-pre7780/services/default.nix
View file

@ -1,7 +1,7 @@
{
imports = [
../../../modules/postgresql.nix
./mail.nix
# ./mail.nix
./nginx.nix
./wireguard.nix
# ./nextcloud.nix

2
system/dev/dn-pre7780/sops/sops-conf.nix
View file

@ -5,8 +5,6 @@ in
{
sops = {
secrets = {
"wireguard/wg0.conf" = { };
"lam/env" = { };
"netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable {

7
system/dev/skydrive-lap/sops/sops-conf.nix
View file

@ -1,8 +1,3 @@
{ config, lib, ... }:
{ ... }:
{
sops = {
secrets = {
"wireguard/wg0.conf" = { };
};
};
}

6
system/modules/shells/noctalia/bar.nix
View file

@ -1,13 +1,13 @@
{
backgroundOpacity = 1;
capsuleOpacity = 1;
backgroundOpacity = 0.25;
capsuleOpacity = 0;
density = "comfortable";
exclusive = true;
floating = true;
marginHorizontal = 0.25;
marginVertical = 0.25;
outerCorners = false;
postition = "top";
position = "top";
showCapsule = true;
widgets = {
center = [

27
system/modules/shells/noctalia/default.nix
View file

@ -32,7 +32,7 @@ in
enable = true;
systemd.enable = true;
settings = {
settingsVersion = 25;
settingsVersion = 26;
appLauncher = {
customLaunchPrefix = "";
customLaunchPrefixEnabled = false;
@ -61,18 +61,10 @@ in
brightness = {
brightnessStep = 5;
enableDdcSupport = false;
enforceMinium = true;
enforceMinimum = true;
};
calendar = {
cards = [
{
enabled = true;
id = "banner-card";
}
{
enabled = true;
id = "calendar-card";
}
{
enabled = true;
id = "timer-card";
@ -81,6 +73,14 @@ in
enabled = true;
id = "weather-card";
}
{
enabled = true;
id = "calendar-header-card";
}
{
enabled = true;
id = "calendar-month-card";
}
];
};
changelog = {
@ -101,14 +101,13 @@ in
backgroundOpacity = 1;
colorizeIcons = false;
displayMode = "auto_hide";
enabled = true;
enabled = false;
floatingRatio = 1;
monitors = [
];
onlySameOutput = true;
pinnedApps = [
];
radiusRatio = 0.68;
size = 1;
};
general = {
@ -116,6 +115,8 @@ in
animationDisabled = false;
animationSpeed = 1.5;
avatarImage = "${config.home.homeDirectory}/.face";
boxRadiusRatio = 0.68;
iRadiusRatio = 0.68;
compactLockScreen = false;
dimmerOpacity = 0.4;
enableShadows = true;
@ -206,7 +207,7 @@ in
fontDefaultScale = 1;
fontFixed = config.stylix.fonts.monospace.name;
fontFixedScale = 1;
panelBackgroundOpacity = 1;
panelBackgroundOpacity = 0.25;
panelsAttachedToBar = true;
settingsPanelAttachToBar = true;
tooltipsEnabled = true;

118
system/modules/wireguard.nix
View file

@ -1,12 +1,130 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) getExe;
notifyUser = pkgs.writeShellScriptBin "wg0-watchdog-notify-user" ''
is_wg_active() {
systemctl is-active wg-quick-wg0.service >/dev/null 2>&1
return $?
}
if is_wg_active; then
notify-send -u critical -a Wireguard "Endpoint up, wireguard resumed."
else
notify-send -u critical -a Wireguard "Endpoint down, wireguard stopped."
fi
'';
watchDog = pkgs.writeShellScriptBin "wg0-watchdog" ''
TARGET_CONF="$1"
PING_INTERVAL=1
PING_TIMEOUT=1
PING_COUNT=1
set -euo pipefail
error_with_msg() {
echo "$1"
echo "Exiting"
exit 1
}
notify() {
users=$(loginctl list-users --json=short | jq -r '.[].user')
for user in $users; do
systemctl --machine=danny@.host --user start wg0-notify-user
done
}
get_ip_from_conf() {
sed -n "s/Endpoint[[:space:]]*=[[:space:]]*\(.*\):[0-9]*/\\1/p" "$1"
}
check_health() {
ping -c "$PING_COUNT" -W "$PING_TIMEOUT" $1 >/dev/null 2>&1
return $?
}
is_wg_active() {
systemctl is-active wg-quick-wg0.service >/dev/null 2>&1
return $?
}
start_wg() {
systemctl start wg-quick-wg0.service >/dev/null
}
stop_wg() {
systemctl stop wg-quick-wg0.service >/dev/null
}
if [ ! -e "$TARGET_CONF" ]; then
error_with_msg "Target wireguard configuration not exist: $TARGET_CONF"
fi
TARGET_IP=$(get_ip_from_conf "$TARGET_CONF")
if [ -z "$TARGET_IP" ]; then
error_with_msg "IP not found"
fi
echo "Start detecting..."
while true; do
if check_health "$TARGET_IP"; then
if ! is_wg_active; then
start_wg
echo "Endpoint up, wireguard resumed."
notify
fi
else
if is_wg_active; then
stop_wg
echo "Endpoint down, wireguard stopped."
notify
fi
fi
sleep $PING_INTERVAL
done
'';
in
{
sops.secrets."wireguard/wg0.conf" = { };
networking = {
firewall = {
allowedUDPPorts = [ 51820 ];
};
wg-quick.interfaces.wg0.configFile = config.sops.secrets."wireguard/wg0.conf".path;
};
systemd.services.wg0-watchdog = {
wantedBy = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
path = with pkgs; [
jq
];
serviceConfig = {
ExecStart = "${getExe watchDog} \"${config.sops.secrets."wireguard/wg0.conf".path}\"";
RestartSec = 5;
TimeoutStopSec = 0;
};
};
systemd.user.services.wg0-notify-user = {
wantedBy = [ "graphical-session.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${getExe notifyUser}";
};
path = with pkgs; [
libnotify
];
};
}