From 13b0b83d9fb732decc97a499bd9ccdb4cdbdf25e Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 13 Oct 2022 10:51:21 +0200 Subject: [PATCH] moved tinc to components/tinc --- nixos/components/network/default.nix | 2 + .../all => components/network}/hosts.nix | 0 nixos/components/network/tinc/default.nix | 14 +++ nixos/components/network/tinc/private.nix | 42 +++++++ nixos/components/network/tinc/retiolum.nix | 34 ++++++ nixos/components/network/tinc/secret.nix | 33 ++++++ nixos/machines/robi/configuration.nix | 4 +- nixos/machines/robi/tinc.nix | 5 - nixos/system/all/default.nix | 2 - nixos/system/all/tinc.nix | 105 ------------------ 10 files changed, 128 insertions(+), 113 deletions(-) rename nixos/{system/all => components/network}/hosts.nix (100%) create mode 100644 nixos/components/network/tinc/default.nix create mode 100644 nixos/components/network/tinc/private.nix create mode 100644 nixos/components/network/tinc/retiolum.nix create mode 100644 nixos/components/network/tinc/secret.nix delete mode 100644 nixos/system/all/tinc.nix diff --git a/nixos/components/network/default.nix b/nixos/components/network/default.nix index f682473..4664c23 100644 --- a/nixos/components/network/default.nix +++ b/nixos/components/network/default.nix @@ -2,5 +2,7 @@ { imports = [ ./sshd + ./tinc + ./hosts.nix ]; } diff --git a/nixos/system/all/hosts.nix b/nixos/components/network/hosts.nix similarity index 100% rename from nixos/system/all/hosts.nix rename to nixos/components/network/hosts.nix diff --git a/nixos/components/network/tinc/default.nix b/nixos/components/network/tinc/default.nix new file mode 100644 index 0000000..485d247 --- /dev/null +++ b/nixos/components/network/tinc/default.nix @@ -0,0 +1,14 @@ +{ + + imports = [ + ./private.nix + ./retiolum.nix + ./secret.nix + ]; + + # keys for secret and private tinc network + sops.secrets.tinc_ed25519_key = { }; + sops.secrets.tinc_rsa_key = { }; + +} + diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix new file mode 100644 index 0000000..0a59289 --- /dev/null +++ b/nixos/components/network/tinc/private.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + + networking.firewall.trustedInterfaces = [ "tinc.private" ]; + + users.groups."tinc.private" = { }; + users.users."tinc.private" = { + group = "tinc.private"; + isSystemUser = lib.mkDefault true; + }; + + # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" + module.cluster.services.tinc."private" = { + networkSubnet = "10.23.42.0/24"; + extraConfig = '' + LocalDiscovery = yes + ''; + privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path; + privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path; + hosts = { + pepe = { + tincIp = "10.23.42.26"; + publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file; + }; + sterni = { + tincIp = "10.23.42.24"; + publicKey = lib.fileContents ../../../assets/tinc/workout_host_file; + }; + mobi = { + tincIp = "10.23.42.23"; + publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file; + }; + robi = { + realAddress = [ "144.76.13.147" ]; + tincIp = "10.23.42.111"; + publicKey = lib.fileContents ../../../assets/tinc/robi_host_file; + }; + }; + }; + +} diff --git a/nixos/components/network/tinc/retiolum.nix b/nixos/components/network/tinc/retiolum.nix new file mode 100644 index 0000000..1636e01 --- /dev/null +++ b/nixos/components/network/tinc/retiolum.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, retiolum, ... }: +{ + + # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" + module.cluster.services.tinc."retiolum" = { + networkSubnet = "10.243.0.0/16"; + port = 720; + extraConfig = '' + LocalDiscovery = yes + AutoConnect = yes + ''; + privateEd25519KeyFile = toString config.sops.secrets.tinc_retiolum_ed25519_key.path; + privateRsaKeyFile = toString config.sops.secrets.tinc_retiolum_rsa_key.path; + hosts = { + pepe = { + tincIp = "10.243.23.1"; + publicKey = lib.fileContents ../../../assets/tinc/retiolum/host_file; + }; + sterni = { + tincIp = "10.243.23.3"; + publicKey = lib.fileContents ../../../assets/tinc/retiolum/host_file; + }; + }; + }; + + networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts"); + systemd.services."tinc.retiolum" = { + preStart = '' + cp -R ${retiolum}/hosts /etc/tinc/retiolum/ || true + ''; + }; + +} + diff --git a/nixos/components/network/tinc/secret.nix b/nixos/components/network/tinc/secret.nix new file mode 100644 index 0000000..96e5c56 --- /dev/null +++ b/nixos/components/network/tinc/secret.nix @@ -0,0 +1,33 @@ +{ config, pkgs, lib, ... }: +{ + + + # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" + module.cluster.services.tinc."secret" = { + networkSubnet = "10.123.42.0/24"; + port = 721; + extraConfig = '' + LocalDiscovery = yes + AutoConnect = yes + ''; + privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path; + privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path; + hosts = { + sternchen = { + tincIp = "10.123.42.25"; + publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file; + }; + sterni = { + tincIp = "10.123.42.24"; + publicKey = lib.fileContents ../../../assets/tinc/workout_host_file; + }; + robi = { + realAddress = [ "144.76.13.147" ]; + tincIp = "10.123.42.123"; + publicKey = lib.fileContents ../../../assets/tinc/robi_host_file; + }; + }; + }; + +} + diff --git a/nixos/machines/robi/configuration.nix b/nixos/machines/robi/configuration.nix index 0199752..df558be 100644 --- a/nixos/machines/robi/configuration.nix +++ b/nixos/machines/robi/configuration.nix @@ -8,7 +8,9 @@ ../../system/server/packages.nix ../../components/network/sshd - ../../system/all/tinc.nix + ../../components/network/tinc + + ../../modules ./hetzner.nix diff --git a/nixos/machines/robi/tinc.nix b/nixos/machines/robi/tinc.nix index 2f88b40..e8c0f03 100644 --- a/nixos/machines/robi/tinc.nix +++ b/nixos/machines/robi/tinc.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: { - imports = [ ../../system/all/tinc.nix ]; - module.cluster.services.tinc = { "private" = { enable = true; @@ -15,9 +13,6 @@ }; }; - #sops.secrets.tinc_retiolum_ed25519_key = { }; - #sops.secrets.tinc_retiolum_rsa_key = { }; - users.users."tinc.secret".group = "tinc.secret"; users.groups."tinc.secret" = { }; diff --git a/nixos/system/all/default.nix b/nixos/system/all/default.nix index 48931ef..f5ad531 100644 --- a/nixos/system/all/default.nix +++ b/nixos/system/all/default.nix @@ -21,9 +21,7 @@ ./borg-jobs.nix ./borg-scripts.nix ./syncthing.nix - ./tinc.nix ./on-failure.nix - ./hosts.nix ]; diff --git a/nixos/system/all/tinc.nix b/nixos/system/all/tinc.nix deleted file mode 100644 index 50d9ff7..0000000 --- a/nixos/system/all/tinc.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ config, pkgs, lib, retiolum, ... }: -{ - - imports = [ ../../modules ]; - - networking.firewall.trustedInterfaces = [ "tinc.private" ]; - - users.users."tinc.private".group = "tinc.private"; - users.groups."tinc.private" = { }; - users.users."tinc.private".isSystemUser = lib.mkDefault true; - - - # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" - module.cluster.services.tinc = { - "retiolum" = { - networkSubnet = "10.243.0.0/16"; - port = 720; - extraConfig = '' - LocalDiscovery = yes - AutoConnect = yes - ''; - privateEd25519KeyFile = - toString config.sops.secrets.tinc_retiolum_ed25519_key.path; - privateRsaKeyFile = toString config.sops.secrets.tinc_retiolum_rsa_key.path; - hosts = { - pepe = { - tincIp = "10.243.23.1"; - publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file; - }; - sterni = { - tincIp = "10.243.23.3"; - publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file; - }; - }; - }; - # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" - "secret" = { - networkSubnet = "10.123.42.0/24"; - port = 721; - extraConfig = '' - LocalDiscovery = yes - AutoConnect = yes - ''; - privateEd25519KeyFile = - toString config.sops.secrets.tinc_ed25519_key.path; - privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path; - hosts = { - sternchen = { - tincIp = "10.123.42.25"; - publicKey = lib.fileContents ../../assets/tinc/sternchen_host_file; - }; - sterni = { - tincIp = "10.123.42.24"; - publicKey = lib.fileContents ../../assets/tinc/workout_host_file; - }; - robi = { - realAddress = [ "144.76.13.147" ]; - tincIp = "10.123.42.123"; - publicKey = lib.fileContents ../../assets/tinc/robi_host_file; - }; - }; - }; - # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" - "private" = { - networkSubnet = "10.23.42.0/24"; - extraConfig = '' - LocalDiscovery = yes - ''; - privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path; - privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path; - hosts = { - pepe = { - tincIp = "10.23.42.26"; - publicKey = lib.fileContents ../../assets/tinc/pepe_host_file; - }; - sterni = { - tincIp = "10.23.42.24"; - publicKey = lib.fileContents ../../assets/tinc/workout_host_file; - }; - mobi = { - tincIp = "10.23.42.23"; - publicKey = lib.fileContents ../../assets/tinc/mobi_host_file; - }; - robi = { - realAddress = [ "144.76.13.147" ]; - tincIp = "10.23.42.111"; - publicKey = lib.fileContents ../../assets/tinc/robi_host_file; - }; - }; - }; - }; - - sops.secrets.tinc_ed25519_key = { }; - sops.secrets.tinc_rsa_key = { }; - - # retiolum stuff - networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts"); - systemd.services."tinc.retiolum" = { - preStart = '' - cp -R ${retiolum}/hosts /etc/tinc/retiolum/ || true - ''; - }; - -} -