kinda work for sterni
parent
4b9cfdcc6e
commit
211f241cd1
|
@ -1,14 +1,35 @@
|
|||
{ lib, config, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
imports = [
|
||||
#./private.nix
|
||||
#./retiolum.nix
|
||||
#./secret.nix
|
||||
options.tinc = {
|
||||
private = {
|
||||
enable = mkEnableOption "private tinc setup";
|
||||
ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
secret = {
|
||||
enable = mkEnableOption "secret tinc setup";
|
||||
ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf config.tinc.private.enable (import ./private.nix {
|
||||
ipv4 = config.tinc.private.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
}))
|
||||
(mkIf config.tinc.secret.enable (import ./secret.nix {
|
||||
ipv4 = config.tinc.secret.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
}))
|
||||
];
|
||||
|
||||
# keys for secret and private tinc network
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
#sops.secrets.tinc_rsa_key = { };
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -1,46 +1,90 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "tinc.private" ];
|
||||
|
||||
users.groups."tinc.private" = { };
|
||||
users.users."tinc.private" = {
|
||||
group = "tinc.private";
|
||||
isSystemUser = lib.mkDefault true;
|
||||
{ ipv4
|
||||
, ipv6
|
||||
, config
|
||||
, optionalString
|
||||
, concatStringsSep
|
||||
, mapAttrsToList
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
hosts = {
|
||||
mobi = "10.23.42.23";
|
||||
sterni = "10.23.42.24";
|
||||
bobi = "10.23.42.25";
|
||||
pepe = "10.23.42.26";
|
||||
robi = "144.76.13.147";
|
||||
};
|
||||
network = "private";
|
||||
in
|
||||
{
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
|
||||
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
|
||||
module.cluster.services.tinc."private" = {
|
||||
networkSubnet = "10.23.42.0/24";
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
'';
|
||||
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
|
||||
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
|
||||
hosts = {
|
||||
pepe = {
|
||||
tincIp = "10.23.42.26";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
|
||||
};
|
||||
sterni = {
|
||||
tincIp = "10.23.42.24";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
|
||||
};
|
||||
mobi = {
|
||||
tincIp = "10.23.42.23";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
|
||||
};
|
||||
bobi = {
|
||||
tincIp = "10.23.42.25";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
|
||||
};
|
||||
robi = {
|
||||
realAddress = [ "144.76.13.147" ];
|
||||
tincIp = "10.23.42.111";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
hostSettings = {
|
||||
mobi = {
|
||||
subnets = [{ address = hosts.mobi; }];
|
||||
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
|
||||
};
|
||||
bobi = {
|
||||
subnets = [{ address = hosts.bobi; }];
|
||||
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
|
||||
};
|
||||
pepe = {
|
||||
subnets = [{ address = hosts.pepe; }];
|
||||
settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; }];
|
||||
subnets = [{ address = hosts.robi; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks.${network}.extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.${network}
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
|
||||
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
"robi" = {
|
||||
hostNames = [ "robi.${network}" hosts.robi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
"sterni.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"pepe.${network}" = {
|
||||
hostNames = [ "pepe.${network}" hosts.pepe ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
|
||||
};
|
||||
"bobi.${network}" = {
|
||||
hostNames = [ "bobi.${network}" hosts.bobi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
|
||||
};
|
||||
"mobi.${network}" = {
|
||||
hostNames = [ "mobi.${network}" hosts.mobi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,33 +1,78 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ ipv4
|
||||
, ipv6
|
||||
, config
|
||||
, optionalString
|
||||
, concatStringsSep
|
||||
, mapAttrsToList
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
port = 721;
|
||||
hosts = {
|
||||
sternchen = "10.123.42.25";
|
||||
sterni = "10.123.42.24";
|
||||
robi = "10.123.42.123";
|
||||
};
|
||||
network = "secret";
|
||||
in
|
||||
{
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
|
||||
|
||||
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
|
||||
module.cluster.services.tinc."secret" = {
|
||||
networkSubnet = "10.123.42.0/24";
|
||||
port = 721;
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
AutoConnect = yes
|
||||
'';
|
||||
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
|
||||
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
|
||||
hosts = {
|
||||
sternchen = {
|
||||
tincIp = "10.123.42.25";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file;
|
||||
};
|
||||
sterni = {
|
||||
tincIp = "10.123.42.24";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
|
||||
};
|
||||
robi = {
|
||||
realAddress = [ "144.76.13.147" ];
|
||||
tincIp = "10.123.42.123";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
AutoConnect = yes
|
||||
Port = ${toString port}
|
||||
'';
|
||||
hostSettings = {
|
||||
sternchen = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; port = port; }];
|
||||
subnets = [{ address = hosts.robi; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks.${network}.extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.${network}
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
|
||||
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
"sternchen.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
|
||||
};
|
||||
"sterni.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"robi" = {
|
||||
hostNames = [ "robi.${network}" hosts.robi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,78 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let ipv4 = "10.23.42.24";
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
# module.cluster.services.tinc = {
|
||||
# "private" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# connectTo = [ "robi" ];
|
||||
# };
|
||||
# "retiolum" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# };
|
||||
# "secret" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# connectTo = [ "robi" ];
|
||||
# };
|
||||
# };
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.24";
|
||||
|
||||
#sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
#sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.24";
|
||||
|
||||
#users.users."tinc.retiolum".group = "tinc.retiolum";
|
||||
#users.groups."tinc.retiolum" = { };
|
||||
|
||||
#users.users."tinc.secret".group = "tinc.secret";
|
||||
#users.groups."tinc.secret" = { };
|
||||
|
||||
|
||||
services.tinc.networks = {
|
||||
"private" = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
hostSettings = {
|
||||
mobi = {
|
||||
subnets = [{ address = "10.23.42.23"; }];
|
||||
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = "10.23.42.24"; }];
|
||||
settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
|
||||
};
|
||||
bobi = {
|
||||
subnets = [{ address = "10.23.42.25"; }];
|
||||
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
|
||||
};
|
||||
pepe = {
|
||||
subnets = [{ address = "10.23.42.26"; }];
|
||||
settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; }];
|
||||
subnets = [{ address = "10.23.42.111"; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."private".extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.private
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue