yk8s.wireguard

You MUST add yourself to the wireguard peers.

You can do so either in the following section of the config file or by using and configuring a git submodule. This submodule would then refer to another repository, holding the wireguard public keys of everybody that should have access to the cluster by default. This is the recommended approach for companies and organizations.

yk8s.wireguard.enabled

Type::

boolean

Default::

true

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints

Defines a WireGuard endpoint/server. To allow rolling key rotations, multiple endpoints can be added. Each endpoint’s id, port and subnet need to be unique.

Type::

list of (submodule)

Default::

[ ]

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.enabled

Whether this endpoint is enabled on the frontend nodes.

Type::

boolean

Default::

true

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.id

An ID unique to this endpoint

Type::

unsigned integer, meaning >=0, or non-empty string

Example::

0

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.ip_cidr

IP address range to use for WireGuard clients. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.ip_gw

IP address range to use for WireGuard servers. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.ipv6_cidr

IP address range to use for WireGuard clients. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or non-empty string

Default::

null

Example::

"fd01::/120"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.ipv6_gw

IP address range to use for WireGuard servers. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or non-empty string

Default::

null

Example::

"fd01::1/120"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.endpoints.*.port

The port Wireguard should use on the frontend nodes

Type::

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default::

7777

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.ip_cidr

DEPRECATED. Use endpoints instead

IP address range to use for WireGuard clients. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$

Default::

null

Example::

"172.30.153.64/26"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.ip_gw

DEPRECATED. Use endpoints instead

IP address range to use for WireGuard servers. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$

Default::

null

Example::

"172.30.153.65/26"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.ipv6_cidr

DEPRECATED. Use endpoints instead

IP address range to use for WireGuard clients. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or non-empty string

Default::

null

Example::

"fd01::/120"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.ipv6_gw

DEPRECATED. Use endpoints instead

IP address range to use for WireGuard servers. Must be set to a CIDR and must not conflict with the terraform.subnet_cidr. Should be chosen uniquely for all clusters of a customer at the very least so that they can use all of their clusters at the same time without having to tear down tunnels.

Type::

null or non-empty string

Default::

null

Example::

"fd01::1/120"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers

The Wireguard peers that should be able to connect to the frontend nodes.

Type::

list of (submodule)

Default::

[ ]

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.ident

An identifier for the public key

Type::

non-empty string

Example::

"name.lastname"

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.ip

Type::

null or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$ or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$

Default::

null

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.ips

Type::

attribute set of (string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])/([0-9]|[12][0-9]|3[0-2])$ or string matching the pattern ^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9]).){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])$)

Default::

{ }

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.ipsv6

Type::

attribute set of non-empty string

Default::

{ }

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.ipv6

Type::

null or non-empty string

Default::

null

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.peers.*.pub_key

The public key of the peer created with wg keygen

Type::

non-empty string

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard

yk8s.wireguard.port

DEPRECATED. Use endpoints instead

The port Wireguard should use on the frontend nodes

Type::

null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default::

null

Example::

7777

Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/wireguard