diff --git a/terranix/tinc-test/.gitignore b/terranix/tinc-test/.gitignore new file mode 100644 index 0000000..bd14e35 --- /dev/null +++ b/terranix/tinc-test/.gitignore @@ -0,0 +1,10 @@ +.terraform +*.tf.json +*.swp + +02-build/generated/** +!02-build/generated/.keep + +terraform.tfstate +terraform.tfstate.backup +.terraform.tfstate.lock.info diff --git a/terranix/tinc-test/01-terranix/config.nix b/terranix/tinc-test/01-terranix/config.nix new file mode 100644 index 0000000..072e609 --- /dev/null +++ b/terranix/tinc-test/01-terranix/config.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: +let + + hcloud-modules = pkgs.fetchgit { + #url = "https://github.com/mrVanDalo/terranix-hcloud.git"; + url = "https://git.ingolf-wagner.de/terranix/hcloud.git"; + rev = "b6896f385f45ecfd66e970663c55635c9fd8b26b"; + sha256 = "1bggnbry7is7b7cjl63q6r5wg9pqz0jn8i3nnc4rqixp0ckwdn85"; + }; + + #hcloud-modules = /home/palo/dev/terranix-hcloud/terraform-0.11; + +in { + + imports = [ + (toString hcloud-modules) + + ./config/file-generation.nix + ./config/ssh-setup.nix + ]; + + #hcloud.export.nix = "${toString ../02-build/generated}/test.nix"; + + hcloud.nixserver.server = { + configurationFile = pkgs.writeText "configuration.nix" '' + { pkgs, lib, ... }: + { + environment.systemPackages = with pkgs; [ + htop git vim mosh + ]; + networking.firewall.allowedUDPPorts = [ 60001 ]; + } + ''; + }; + +} diff --git a/terranix/tinc-test/01-terranix/config/file-generation.nix b/terranix/tinc-test/01-terranix/config/file-generation.nix new file mode 100644 index 0000000..fa4e1c6 --- /dev/null +++ b/terranix/tinc-test/01-terranix/config/file-generation.nix @@ -0,0 +1,30 @@ +# -------------------------------------------------------------------------------- +# +# collect all server information and generate files which get picked up +# by 02-build to deploy the machines properly. +# +# This makes it possible to deploy VPNs like tinc and wireguard. +# +# -------------------------------------------------------------------------------- + +{ config, lib, pkgs, ... }: { + resource.local_file = { + nixosMachines = { + content = with lib; + let + serverPart = name: '' + ${name} = { + host = "''${ hcloud_server.${name}.ipv4_address }"; + user = "root"; + }; + ''; + allServerParts = map serverPart (attrNames config.hcloud.server); + in '' + { + ${concatStringsSep "\n" allServerParts} + } + ''; + filename = "${toString ../../02-build/generated/nixos-machines.nix}"; + }; + }; +} diff --git a/terranix/tinc-test/01-terranix/config/ssh-setup.nix b/terranix/tinc-test/01-terranix/config/ssh-setup.nix new file mode 100644 index 0000000..d7ce676 --- /dev/null +++ b/terranix/tinc-test/01-terranix/config/ssh-setup.nix @@ -0,0 +1,44 @@ +# -------------------------------------------------------------------------------- +# +# configure ssh setup +# +# -------------------------------------------------------------------------------- + +{ config, lib, pkgs, ... }: +let + ssh = { + privateKeyFile = ../../sshkey; + publicKeyFile = ../../sshkey.pub; + }; + target = file: "${toString ../../02-build/generated}/${file}"; +in { + # configure admin ssh keys + users.admins.palo.publicKey = lib.fileContents ssh.publicKeyFile; + + # configure provisioning private Key to be used when running provisioning on the machines + provisioner.privateKeyFile = toString ssh.privateKeyFile; + + resource.local_file = { + + # provide ssh key for the server + sshKey = { + content = lib.fileContents ssh.publicKeyFile; + filename = target "sshkey.pub"; + }; + + sshConfig = { + filename = target "ssh-configuration"; + content = with lib; + let + configPart = name: '' + Host ''${ hcloud_server.${name}.ipv4_address } + IdentityFile ${toString ssh.privateKeyFile} + ServerAliveInterval 60 + ServerAliveCountMax 3 + ''; + in concatStringsSep "\n" + (map configPart (attrNames config.hcloud.server)); + }; + }; +} + diff --git a/terranix/tinc-test/01-terranix/shell.nix b/terranix/tinc-test/01-terranix/shell.nix new file mode 100644 index 0000000..51fb7fc --- /dev/null +++ b/terranix/tinc-test/01-terranix/shell.nix @@ -0,0 +1,34 @@ +{ pkgs ? import { } }: + +let + + terranix = pkgs.callPackage (pkgs.fetchgit { + url = "https://github.com/mrVanDalo/terranix.git"; + rev = "6097722f3a94972a92d810f3a707351cd425a4be"; + sha256 = "1d8w82mvgflmscvq133pz9ynr79cgd5qjggng85byk8axj6fg6jw"; + }) { }; + + terraform = pkgs.writers.writeDashBin "terraform" '' + export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token` + ${pkgs.terraform_0_11}/bin/terraform "$@" + ''; + + create = pkgs.writers.writeDashBin "create" '' + ${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > ${ + toString ./. + }/config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform apply + ''; + + clean = pkgs.writers.writeBashBin "clean" '' + ${terraform}/bin/terraform destroy + rm ${toString ./.}/config.tf.json + rm ${toString ./.}/terraform.tfstate* + ''; + +in pkgs.mkShell { + + buildInputs = with pkgs; [ terranix terraform create clean ]; + +} diff --git a/terranix/tinc-test/02-build/assets/tinc/client/ed25519_key.priv b/terranix/tinc-test/02-build/assets/tinc/client/ed25519_key.priv new file mode 100644 index 0000000..ea89506 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/client/ed25519_key.priv @@ -0,0 +1,4 @@ +-----BEGIN ED25519 PRIVATE KEY----- +gTFtvOMvD5KTUZeGNcTh5ngY/BktUd0OW/37jT8w+61eLP0ntMkaBB8yovTbJvXR +vReDUb/hjIi7nhGgy2EzP6An4QtXWvTHWJSDefglGVlcFqPDbhRkJ8CpWbCGoIYt +-----END ED25519 PRIVATE KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/client/host_file b/terranix/tinc-test/02-build/assets/tinc/client/host_file new file mode 100644 index 0000000..eba689a --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/client/host_file @@ -0,0 +1,14 @@ +Ed25519PublicKey = OwJOU7l170hVi0g3HYpRVJXh6zwWYEZCvQq1mgBKCWL +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAwNR4EbAffxezhbmTIoetrUPPpo66rR9kPJkLCl/fTJbVE1ryjXNQ +Cq0lefDURLT4L3Iw/XgBUIy1xpH8InolnYlL2DRadOvbA0nCUzoekwshcV1N6tCe +HsxrVP5XSxGJ6Es7L0zzvqXCoYP4tic+N4ztZBknn9RRMY497qHPxLoejqPZndmj +9VPciWtiZMhLPka/r0mS/Y7h2t3IQg3J2QCXjQoojTpGym9wPlBXcE2Hv5hYKM8X +359/arLKlAi91I2SH1o6+rBoGaMB50goEnDvWqdha95CR9K/I7+eJm8/AiJCxus0 +2KKCK7K5GvBPifEgMX4AVF8bqgTF9VZi0peG3dUEsg2L/6XqfH6IeFziWfuzuR9k +Ud0fzu235ssshMz/WHtTZiwTUc/xzs29PrF8ThieN/nt6tdBS3A0wdqeNfKjoD3k +zgqcc+ODUUR4gaq/46W0lU8aiP1w32YmKLnrBmFYjZXHqXNgYOZctoW/SjblvpCK +pYUxowFOXA8BU/eRiNZfa+b0ONe0XQOj8Q78st5XsCTlqHLkytdjwauZvM4jVuE9 +7lhvvr1ft/QO3RdBMXAXgDN0F2eDnzqdRE/rrvqNJCeheS9rmHE6Aa0e5yTcJMMK +qCkys4lQn4y9RnfH3MpzRtRnpSKid31WcmCI+JYHLe4ZhFWXju4fKPECAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/client/rsa_key.priv b/terranix/tinc-test/02-build/assets/tinc/client/rsa_key.priv new file mode 100644 index 0000000..9267f93 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/client/rsa_key.priv @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAwNR4EbAffxezhbmTIoetrUPPpo66rR9kPJkLCl/fTJbVE1ry +jXNQCq0lefDURLT4L3Iw/XgBUIy1xpH8InolnYlL2DRadOvbA0nCUzoekwshcV1N +6tCeHsxrVP5XSxGJ6Es7L0zzvqXCoYP4tic+N4ztZBknn9RRMY497qHPxLoejqPZ +ndmj9VPciWtiZMhLPka/r0mS/Y7h2t3IQg3J2QCXjQoojTpGym9wPlBXcE2Hv5hY +KM8X359/arLKlAi91I2SH1o6+rBoGaMB50goEnDvWqdha95CR9K/I7+eJm8/AiJC +xus02KKCK7K5GvBPifEgMX4AVF8bqgTF9VZi0peG3dUEsg2L/6XqfH6IeFziWfuz +uR9kUd0fzu235ssshMz/WHtTZiwTUc/xzs29PrF8ThieN/nt6tdBS3A0wdqeNfKj +oD3kzgqcc+ODUUR4gaq/46W0lU8aiP1w32YmKLnrBmFYjZXHqXNgYOZctoW/Sjbl +vpCKpYUxowFOXA8BU/eRiNZfa+b0ONe0XQOj8Q78st5XsCTlqHLkytdjwauZvM4j +VuE97lhvvr1ft/QO3RdBMXAXgDN0F2eDnzqdRE/rrvqNJCeheS9rmHE6Aa0e5yTc +JMMKqCkys4lQn4y9RnfH3MpzRtRnpSKid31WcmCI+JYHLe4ZhFWXju4fKPECAwEA +AQKCAgBp1PLlOlW/CkIUVcqkO/UdUEdqcZGRLNZ1z8VYd0/2GB5v1g2jhrNaeLdF +2uCVqQFCARlUNAX8sI2fo0XPolx8vvrqealf3IbCojvOM+rN52D+eCgohUETRDxw +VHuSjtiyrn+YMVLhwtY0kVrylk02bdlog8nUldHOMfRZwWNn5IKa5OCuGuI65kD3 +BwHksG1ji67uxKGxGjdpSSn83tZ2jDWhSf8BrAdoWYswGCY1U8f6ZuGT3D2NFVv4 +MpKudrHBM8YMARi3uBQaZfXIezjLDkK/7XexnTWhd9BCDYv+KjZZtHYT+MlzUJXC +5/9iApyU58s0fqQtqlljkeUYBsaLOyMDvBzuZE36PM7dC988Wtr8B/4qwkCaveN1 +6Qz2i0iyNbtWJuGFqvorr+bNrvV8f/kinguWkpbE3uM3h43OAS2QIEGu9LAMsYic +dJz7AKUw2nTifBTqrUkWO9Vx2fBaUnU3FCW5SnkayKewIZ2Fgc0xKCIS68jlM6uD +p8z/FcKe9EEjb40lEcXMKmyEnMG7Qc/pAZa3M7t7UAmHSSLfG7zaECUxhQytHBPD +xa08L6DRMmzvI4Ezdrt7KawydDTGM9bcH5fe2qgfK48jx2T9aIV2Vs/tgcIim8WF +IK53oeJXMB8eXliGiPrwQkwFi3WoErsYkXF0Cn19IRayYNTOpQKCAQEA93l9mfCw +pkCb/gbdkARsbmOxjGzAUfOvRdEt+MmAjzovG3HG9oUQT4M5xGWDpxLPP0uMMGVF +XadUq1ZuSPK/mQaNHY5Tp/OBy3XC2YyiB1zYHrrbxmq54ikF+NwfaV2lVSeHt+TU +tu3ZHDs7wXG7UsgL9MrD2aaBC/Sk2/3BKo9xUPOu54YlZsBCB+2NiZugdQUVwHDl +Snj/dY1YhIEnRphY7CPj36vjDsSL1EqxKLTKKPJTJVU9cTQwCMGbR1OPoB8FjVVr +51pz9dWS6P9iHZitoqv+uf8fe2AkUs5t6U2yFcHQYqvlKyIFsZSTOcWFM5oAZChj +IBqsmbK7rUoHFwKCAQEAx3kPhwkkF1uvFCfnl+69UjDNovuJvCgf7eMNlzZbhzA5 +BbQPLeDbj/8q/3Anqoo2WvvWKVf+7du0KK+Cn6o4+xXCtkCvMUMWIVIUDWe+nykw +STKfzAw5OrYr8ja4HsJu6y0Pm+qczksXCaRhqsRl120OHzyD8WOa758PE0+Lntjz +v1HkJgDSTFcx4+gKZCikKTxwUT17W4phorY3qnYxCnP8e8relNxBIaY/EEbXUPMU +5L3X60Hdscfde7N8/Yj9SQpRmL8qLEkHWSCeziLcN5zzc5wty5yQ/+0SZX4K1S2u +Orv50afYiXC3TAOfYxDKf2DdVJwAJhbCZHIQQitVNwKCAQEAl3O2tnti4Jwx22kA +N589bOF+S15S5NSps6Ss6dEH6J/HLJiZF02gCclZlSQ7Sghs5WOqzANuTD6XxrQC +kopdT51+x1PPRr3z9TyAnvs+PhtH+KaK0geG8y4ABalRX/57rH2gxZ45wCoX8Psf +OugLqEHdb1aYPZ904og6TJgjm5Rl2REJPZAPW67VulxbfpfLv1H5Wei9qrIaRSrX +vV/9VWrvILVmRADB2MvYd3eurCbYge6ri/F6xMkXjIRQL3qoL2pMz44zl0b4KL8o +RYfl2A8UVLXGErZb4fmYwUSsZ1exYTdX/MsOWTNdIKy43WZQeqAJFULSR1eLwhRs +X0UqyQKCAQB4cB3x+JD0EYWKc/WfhKSGxbTDnYCyPL/akGcaT9W/sFwdl3Q6zTOE +pBrAFGW+0Ki1Eq1iVSE1WJxUnHQQF2VEJQVlqXSeF9V61OYKmgM8clAXQhu9xfuf ++XJbUrKkz9zM3m44Q9XdsPT9+2SFCQQ8qDoIni9ERlG8MJuXm0W/6Vpyv+0zDPfs +5BDZfLcZdnh39WgThT3ALbN53O+LWsWNfC6MSBdQZhRlTs1w9HT5CWwqGH4QK7rB +pt2R3POw2U+lFDfkNDgweP+YzttTtzSj134e5cO41pWuEOQ0p3++60/xYqIZ9nAF +vCrQGLfZxr+dXU0F0xM77C3/G+e5LBTNAoIBAAf/z1zNTwc8v/dbkK9Esd/3VYUs +HEmVn7RguwbqmZcMFHLmyaWZxw3qu16bR7ktHm3NfVL5hyHJ58/UFwGvS/kVlIsz ++iAEoqjwpkNyCvT8ZdaB6grvCSV1Ac2m5YkQ9RxNCDtekLvBmw8izX/o0ESwwvkw +eb/119fSOWB60/QQQzFREUL6KpKc+OMCLV5XfbAxTeaDahAhSTWMJxCfWqYYhFU0 +46bwiq+fo+DFHRo+BDJv7Wc8x/B/gzlSMFsxFZ0hUzXBk7Pqz3Rm/UK2cpn1DQ1/ +zQNglB1DM4IwzoQ/DGVzYeneRLEBfU1wVlxUUatBC9oXY6zz85FbzSdyl74= +-----END RSA PRIVATE KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/client_host_file b/terranix/tinc-test/02-build/assets/tinc/client_host_file new file mode 120000 index 0000000..a10ede8 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/client_host_file @@ -0,0 +1 @@ +client/host_file \ No newline at end of file diff --git a/terranix/tinc-test/02-build/assets/tinc/ed25519_key b/terranix/tinc-test/02-build/assets/tinc/ed25519_key new file mode 120000 index 0000000..bf79954 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/ed25519_key @@ -0,0 +1 @@ +server/ed25519_key \ No newline at end of file diff --git a/terranix/tinc-test/02-build/assets/tinc/rsa_key b/terranix/tinc-test/02-build/assets/tinc/rsa_key new file mode 120000 index 0000000..246733d --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/rsa_key @@ -0,0 +1 @@ +server/rsa_key \ No newline at end of file diff --git a/terranix/tinc-test/02-build/assets/tinc/server/ed25519_key b/terranix/tinc-test/02-build/assets/tinc/server/ed25519_key new file mode 100644 index 0000000..07c16ef --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/server/ed25519_key @@ -0,0 +1,4 @@ +-----BEGIN ED25519 PRIVATE KEY----- +wNkj/HdU70l7X5XC5YVlWp3FBa8cBaDRy1LbJCjkh83CYYieSQ2IUWgHQ4Vhx253 +7bXVLSOnVIKMifAnBwSOSX7lTGI6gUP2aZCwa142WdxPDPiYv3sEMqK037VyfHVl +-----END ED25519 PRIVATE KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/server/host_file b/terranix/tinc-test/02-build/assets/tinc/server/host_file new file mode 100644 index 0000000..924e735 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/server/host_file @@ -0,0 +1,14 @@ +Ed25519PublicKey = 1e5kBiOI1jtWmAsWNutVX8zwjI27NLBjqC99el83RVJ +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEA1qFa0YFVefm3kVXGG5j26TF4JNJtBpZo1Jtd9XB6cErMG80vrdvb +RWNwCoY8SM21zN5ew9p7W/P8aClZShx7WRyIzPsTnc69N7zIosAIeXURgo8Ot2Yd +1us5RquPxc6NZ0JhDkz50EgQiJ4fRaCmaBb68hP36U8XdO7VTn93+l0YlmvbhAny +gB7iMOsXiDXxbzxOO+XC3ygaeO45ioEDduEv9Ny9KptXN08eOkxKL7dN4om2Nux0 +2EurWqTBYTrWki+XxovfvsmiM5AELHtTaUM8FwwEX0e7dV1cDYYqz3hWPmYgZ4Bj +dp258VDa/sbUCiRVQfcxzHqbvd3UCoNG76YsGJ6s7TqoxvCCvB4ziH+d6/Uu+h5h +DtjccwVQmW22A5DQHix4T/DmXs1GB5qzOa8eEd6cHTpqp/qzGmvC0un5BezY+CVR +ZphzFoYGF6Q3T7JwC6LCMCNBOqby+bhZNYmkztRzhXvFFrBmj6E17+8Z5fgLgl6u ++1QhxQTjg3uvjZXmQh2+jjTwa3vO1pZR6k9yyLMo9zPpr7i7QY4tqPR8u4j0fkHj +aXtOOj2wl0gDCnVX3mWeUKCJusCDdJ2hPpuz11pPQt67mxtUXO31aMM9J3mHjj0y +PKl7NGKA7ozI9e4HV09KiozM6yrLrvLyoRTn8AgwVoMiEw91CHhDNRkCAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/server/rsa_key b/terranix/tinc-test/02-build/assets/tinc/server/rsa_key new file mode 100644 index 0000000..7319895 --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/server/rsa_key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEA1qFa0YFVefm3kVXGG5j26TF4JNJtBpZo1Jtd9XB6cErMG80v +rdvbRWNwCoY8SM21zN5ew9p7W/P8aClZShx7WRyIzPsTnc69N7zIosAIeXURgo8O +t2Yd1us5RquPxc6NZ0JhDkz50EgQiJ4fRaCmaBb68hP36U8XdO7VTn93+l0Ylmvb +hAnygB7iMOsXiDXxbzxOO+XC3ygaeO45ioEDduEv9Ny9KptXN08eOkxKL7dN4om2 +Nux02EurWqTBYTrWki+XxovfvsmiM5AELHtTaUM8FwwEX0e7dV1cDYYqz3hWPmYg +Z4Bjdp258VDa/sbUCiRVQfcxzHqbvd3UCoNG76YsGJ6s7TqoxvCCvB4ziH+d6/Uu ++h5hDtjccwVQmW22A5DQHix4T/DmXs1GB5qzOa8eEd6cHTpqp/qzGmvC0un5BezY ++CVRZphzFoYGF6Q3T7JwC6LCMCNBOqby+bhZNYmkztRzhXvFFrBmj6E17+8Z5fgL +gl6u+1QhxQTjg3uvjZXmQh2+jjTwa3vO1pZR6k9yyLMo9zPpr7i7QY4tqPR8u4j0 +fkHjaXtOOj2wl0gDCnVX3mWeUKCJusCDdJ2hPpuz11pPQt67mxtUXO31aMM9J3mH +jj0yPKl7NGKA7ozI9e4HV09KiozM6yrLrvLyoRTn8AgwVoMiEw91CHhDNRkCAwEA +AQKCAgBSwt9ZP+zs3tzo/tEoXSCApSG12SpPSvpbWRmvBdNAr6bq5YEIImn35LMU +a9SdIi2DNRAHp5y/xWJD7AXRLRBnOTiLChnzVP/jmTkogLID25+H35AGKitBb2yj +ko4a8V3XPmJceFQv+0nc1FQsrhjctFfJtud2oJfj8CByZ3alJPbRMf/wd0F6I+6G +fHCThnF1uiRUtnEhSb6DeSDZBoyGb6jlW6TZ5BKKckiupDJLGfy/aOjJXv5jVTJa +/oLO8jhBIHb/CXqaf/e6uELTwC5WvaVTIcAh2XAwfnJ7iIvDepyO7SR7pKc12vYT +VmFLsvGag44YpLAgL/sUCJC2CQ71rtx79SNHegDkunqI+GZTSL1uuBHMXpSA75xm +t6m6hcn3E0rL6wSZ+mgpyL1+AULWOSbU4XybsXjORzTsJfn91s7k5dyySQSRDy30 +z10fQzLPJI8kSmGtzUFpDMvOYpfmq5p0aMI58fvTqLgNc1wnJrj2SKfEQI0MnhKU +BESIh63yjPQuPkeqpO1zf8OgmvZ/PU7Egbb8YAHzC11KBh2zKem6zL0Q/bLBcur1 +bcKT0VRq/5jpwLG1dpXf7KovatTjg44cjb+LFP6YnBhM1pc620Hc4G+TPJs3y56c +OdmX6UCCvl1c4pZJ4Mmg7I1LvZcPFIYFFOTmLLixfWWH4n7vrQKCAQEA+PjO4I8Z +RMMui1cpfoj3go4y/IY3bWF2Dgg6QgddagXxdFMVtFKD0LMlpbt3MUmGOjj7zepG +1zeRnvgkAk6ZX/nibMkDWnyVMoews1WJC3YpOZdavjzJ2j3517rvomhSQWzbyOAt +T1oR9dz2EYEFchYgJ+N5pmCvrhQd1nENpT9usxiVT+ecTE8sObJqY6a1otK969yO +urIckDx8SqKY6V5iuTjcsdrSfzIlFKKZ5S9XPqg98lqWekYA9R5WMzolQGFVoDMI +343HdE/oEExBR7X39E+D2YGwoepw6lVBHkmFd1px5Oc5kysAbvB1QiSoU1Oi85mN +uBmrzxmYkQ/d7wKCAQEA3LBgoWzoez81rDh+i9vXweI7vKHy1htJnRPgYuxWtlvu +RzgGK/FvOMOthVqpOR0fO1g+7/LupgNjBgGys+jTOeZiKwYEWuy0RCpjKmhc6j2y +jwdXjzHf0Ve3MFF23qhaXhQHEgg9W1VQJwt8xv28mY96YznYB/JC0vLG2ZdQ5ASJ +JHrrZNIk3h+32yBRq8312+cWRXmg27MSSfOrRAMSeoV0c7YvDakce9ZNaok/gbi9 +hA+yqxZc0SrkOXLA0plHzyzH492sonsdLjIQNApJv36NqD6ZHzcPy2iHK3ymhj+z +QM/kt5QHFbK3OFBJbyHxtbSpMfJMvh5AgzyJhaildwKCAQAHe+MsGOEXkg5qHdqf +dRqLkB60PIyZ+x4DWff2WCZUs40IhB7Y5soTke8FxlbU4nLoeSIIlIxAl+kGsErU +zuwJWIeX4Yr6Q1hwxmdnXKDb+VdP5d7SbR1cNBS4iWP+q8gdM1p/9U0nX3u+uj+j +Uw+I2GVrDYlwmONvBifHdGqGlxuKwqhqWHn4SUD5EwXjrPU0ycTvvBeGQShepZLO +44hZK38oNi9cIUnGjQlUT3b0zrF+rqv+Bv8S+du5gonwzESmZMagJCiWH7rpIiXF +p6UmtK+ZZnJ+LUnT9CokwR9N+8PJTKyzxseSRu6iZxP/Qv7UUmVJkUoTSKJDfW96 +nNF9AoIBAAOnU+I4SF0J/dx9DvNHz3mhQjXsRHXw+7YDBzr8CK96NCavscJ2e83n +x26mwph0d/jmjBwy3GqZMcF+s7OwzhZuTv/BWL8cnhtmzD9+fNNP9C3UBEoVnEv9 +9MVzA9HJ3b0i/b75rfJeJjaPRSCSQNYV/wO3iHERPLP7WvltPOSZgp+8/TqtE/kt +c0DIdzGt9j0OxVqfGd+pRks9In+8wUiP/w6PXJYQT61pLdzuqsN+CH0wOVgFxcGc +wSyGTtTtvreaWTDXka0a9q+2GniSFwh5kuTPLH/MzJEkiOBabvNYCKKxDmtPoxJj +5A6lnaGeYT8N36M5DLY1EAJcNTamRR8CggEBAPgc5Wr2YM9rmAB/15H+xk8H/tsI +1hxgGtfdHdo9ZwIyowakuqQaIjbgFX64bE9cX9C62mJ12rP6YoTAz5zRBm4J1Eld +U2PlnCwLJbtrdF83tTSi8n9Yo/y3wMFB0C+z2apEqOkLTUaz3REM+1N8CWVKMtaW +CtEqfx2sIbwy/Y3i8kSyR8mZPiMlpGULLBPvcKSgZZnUzzo5gZh2mP9zwb0q669K +71k3LzM8EY/1by8xrhhg5Iyanoeq2PwecUR4XD8pvpYRdUk+bERUSPyJenWa1JQ/ +df25AfKqmpoVp+LeICbZf4vNLxR1rs44fXPkMpu4SoQkSLuNYkoqpOngjjY= +-----END RSA PRIVATE KEY----- diff --git a/terranix/tinc-test/02-build/assets/tinc/server_host_file b/terranix/tinc-test/02-build/assets/tinc/server_host_file new file mode 120000 index 0000000..539b85c --- /dev/null +++ b/terranix/tinc-test/02-build/assets/tinc/server_host_file @@ -0,0 +1 @@ +server/host_file \ No newline at end of file diff --git a/terranix/tinc-test/02-build/configs/nixserver-server/configuration.nix b/terranix/tinc-test/02-build/configs/nixserver-server/configuration.nix new file mode 100644 index 0000000..90cc147 --- /dev/null +++ b/terranix/tinc-test/02-build/configs/nixserver-server/configuration.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: { + imports = [ ./hardware-configuration.nix ./tinc-server.nix ]; + + networking.hostName = "server"; + + environment.systemPackages = with pkgs; [ htop git vim mosh ]; + networking.firewall.allowedUDPPorts = [ 60001 ]; + + services.sshd.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ ]; + +} diff --git a/terranix/tinc-test/02-build/configs/nixserver-server/hardware-configuration.nix b/terranix/tinc-test/02-build/configs/nixserver-server/hardware-configuration.nix new file mode 100644 index 0000000..5f34b82 --- /dev/null +++ b/terranix/tinc-test/02-build/configs/nixserver-server/hardware-configuration.nix @@ -0,0 +1,8 @@ +{ ... }: { + imports = [ ]; + boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/terranix/tinc-test/02-build/configs/nixserver-server/tinc-server.nix b/terranix/tinc-test/02-build/configs/nixserver-server/tinc-server.nix new file mode 100644 index 0000000..01892fa --- /dev/null +++ b/terranix/tinc-test/02-build/configs/nixserver-server/tinc-server.nix @@ -0,0 +1,10 @@ +{ + imports = [ ./tinc.nix ]; + + module.cluster.services.tinc = { + "test" = { + enable = true; + openPort = true; + }; + }; +} diff --git a/terranix/tinc-test/02-build/configs/nixserver-server/tinc.nix b/terranix/tinc-test/02-build/configs/nixserver-server/tinc.nix new file mode 100644 index 0000000..3becfb6 --- /dev/null +++ b/terranix/tinc-test/02-build/configs/nixserver-server/tinc.nix @@ -0,0 +1,32 @@ +# shared tinc file between client and server +{ config, pkgs, lib, ... }: + +{ + + imports = [ ]; + + networking.firewall.trustedInterfaces = [ "tinc.private" ]; + + # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" + module.cluster.services.tinc = { + "test" = { + networkSubnet = "10.123.142.0/24"; + extraConfig = '' + LocalDiscovery = yes + ''; + privateEd25519KeyFile = toString ; + privateRsaKeyFile = toString ; + hosts = { + server = { + tincIp = "10.123.142.1"; + publicKey = lib.fileContents ; + }; + client = { + tincIp = "10.123.142.100"; + publicKey = lib.fileContents ; + }; + }; + }; + }; +} + diff --git a/terranix/tinc-test/02-build/generated/.keep b/terranix/tinc-test/02-build/generated/.keep new file mode 100644 index 0000000..e69de29 diff --git a/terranix/tinc-test/02-build/shell.nix b/terranix/tinc-test/02-build/shell.nix new file mode 100644 index 0000000..5f1bd9d --- /dev/null +++ b/terranix/tinc-test/02-build/shell.nix @@ -0,0 +1,73 @@ +{ pkgs ? import { } }: + +with pkgs.lib; + +let + + ops = let + opsImport = import ((import { }).fetchgit { + url = "https://github.com/mrVanDalo/plops.git"; + rev = "9fabba016a3553ae6e13d5d17d279c4de2eb00ad"; + sha256 = "193pajq1gcd9jyd12nii06q1sf49xdhbjbfqk3lcq83s0miqfs63"; + }); + overlay = self: super: { + # overwrite ssh to use the generated ssh configuration + openssh = super.writers.writeBashBin "ssh" '' + ${super.openssh}/bin/ssh -F ${ + toString ./generated/ssh-configuration + } "$@" + ''; + }; + in opsImport { overlays = [ overlay ]; }; + + lib = ops.lib; + pkgs = ops.pkgs; + + source = { + + nixPkgs.nixpkgs.git = { + ref = "nixos-19.09"; + url = "https://github.com/NixOS/nixpkgs-channels"; + }; + + system = name: { + configs.file = toString ./configs; + assets.file = toString ./assets; + generated.file = toString ./generated; + nixos-config.symlink = "configs/${name}/configuration.nix"; + }; + + modules.cluster-module.git = { + url = "https://git.ingolf-wagner.de/nix-modules/cluster.git"; + ref = "1.2.0"; + }; + + }; + + servers = import ./generated/nixos-machines.nix; + + deployServer = name: + { user, host, ... }: + with ops; + jobs "deploy-${name}" "${user}@${host}" [ + (populate (source.system name)) + (populate source.nixPkgs) + (populate source.modules) + switch + ]; + + moshServer = name: + { user, host, ... }: + pkgs.writers.writeDashBin "mosh-${name}" '' + ${pkgs.mosh}/bin/mosh \ + --ssh="${pkgs.openssh}/bin/ssh -F ${ + toString ./generated/ssh-configuration + }" \ + "${user}@${host}" + ''; + +in pkgs.mkShell { + buildInputs = lib.mapAttrsToList deployServer servers + ++ mapAttrsToList moshServer servers; + +} diff --git a/terranix/tinc-test/README.md b/terranix/tinc-test/README.md new file mode 100644 index 0000000..4db3ebb --- /dev/null +++ b/terranix/tinc-test/README.md @@ -0,0 +1,39 @@ + +A setup to test tinc on a hetzner box + +# steps + +## OPTIONAL: generate fresh ssh keys + +```sh +ssh-keygen -P "" -f sshkey +``` + +## OPTIONAL: generate new tinc keys + +``` +nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" +cat *.pub host_file +rm *.pub +``` + +## generate machine + +```sh +cd ./01-terranix +nix-shell --run "create" +``` + +## provision machine + +```sh +cd ./02-build +nix-shell --run deploy-server +``` + +## cleanup + +```sh +cd ./01-terranix +nix-shell --run "clean" +``` diff --git a/terranix/tinc-test/sshkey b/terranix/tinc-test/sshkey new file mode 100755 index 0000000..a892557 --- /dev/null +++ b/terranix/tinc-test/sshkey @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAm+c7Q9wbwB0jpPn2nOkOHPLr2VCVi5nITFj8/O6cOpUcsgsg1/5Y +bPVeiGqbzLzd2eoxwpex+Wcp+oEgJO/H1T2NP2nnsRqsczbcZXAATnHega63qAJwW+BDmy +wjZFWAgUB5VSXUbiwqV3qUv55bXOqtvY0f4rdO8tQXoWjipGz/16N/Y66loUJH7wb41XSl +uo4FZORsK8u5nh628EtOH8k1HDM18fSpnp1ZzWlBLPxSE393/5OftJohzF2N7uxeArd31I +5H4PLBBFSy0Zh0mnKM7uwbCyPxFI1kDgwGBz3P5tBi0pxNjArvqvzzn4hzn02jsf6w/Me1 +0Des6zRAzwYKr/Pk5WvVnrmbZQyivQVv5O1u/dEm7CI/CIuJA6LZPA2J3INvhVl8W+vqsl +/OKfeksJJv3soP+Fomcy2NokNmOmSdl70uTfcAkgfuRrCQvDlWCS6IQandjuaDoeqLyu1M +Az8ReKN+yDMH59Q/+H+TWf1MHG3nJ+JfycOcLFJ+uci2kamCfVZa50m7TzpCVqjgdB7PUp +kcaTlQH+sJ7i4Ddbz7+xauvFdVdAJjtA03eTGpV2xcK+HzZvhcZg5ACoYYg5svgZUazo0B +c1fyK2aqwHGHEz7X8dd1EBpuIQtvswlc2pkIFis3hNQ40qde3y4vQx496uLj7E0UMzPCIB +cAAAdAgoAp4IKAKeAAAAAHc3NoLXJzYQAAAgEAm+c7Q9wbwB0jpPn2nOkOHPLr2VCVi5nI +TFj8/O6cOpUcsgsg1/5YbPVeiGqbzLzd2eoxwpex+Wcp+oEgJO/H1T2NP2nnsRqsczbcZX +AATnHega63qAJwW+BDmywjZFWAgUB5VSXUbiwqV3qUv55bXOqtvY0f4rdO8tQXoWjipGz/ +16N/Y66loUJH7wb41XSluo4FZORsK8u5nh628EtOH8k1HDM18fSpnp1ZzWlBLPxSE393/5 +OftJohzF2N7uxeArd31I5H4PLBBFSy0Zh0mnKM7uwbCyPxFI1kDgwGBz3P5tBi0pxNjArv +qvzzn4hzn02jsf6w/Me10Des6zRAzwYKr/Pk5WvVnrmbZQyivQVv5O1u/dEm7CI/CIuJA6 +LZPA2J3INvhVl8W+vqsl/OKfeksJJv3soP+Fomcy2NokNmOmSdl70uTfcAkgfuRrCQvDlW +CS6IQandjuaDoeqLyu1MAz8ReKN+yDMH59Q/+H+TWf1MHG3nJ+JfycOcLFJ+uci2kamCfV +Za50m7TzpCVqjgdB7PUpkcaTlQH+sJ7i4Ddbz7+xauvFdVdAJjtA03eTGpV2xcK+HzZvhc +Zg5ACoYYg5svgZUazo0Bc1fyK2aqwHGHEz7X8dd1EBpuIQtvswlc2pkIFis3hNQ40qde3y +4vQx496uLj7E0UMzPCIBcAAAADAQABAAACAFUT1q+tiidIv47kKcRvGhiKKFKrOzC3dyrS +1RxiSjdd8A7pK78zOaYcML5ZDzSnTJoCx6zdg24K8kmV9aiygWbI9C/K53kqiTlGkvd4K3 +KjiT1Tzz2MNyysMbiYWagDUOE4Af6JamfFCkY6yrnW/RyzpKRwQxpB1n+FZm/bAPOh1+wh +eP8464IY3ZB/SYOS6G3p2t+4F5++yUiUkliHf9awwp7lA2dKkNXSIJOMANk/yLqDMUTzlo +/EHPWdiDr+Gj95R5djHa6QSuzGG99tRxSRtn8bsZZewszoa9WOkiuZe78FsSgly9vEjA3P +hFNm71Hb2Jzl1Efd5EYAXAjutv5ouKDxLHjCSuFmB0j7b+ZXMulVvF9Ka7RK0GxTZnpv50 +AwzeBHdadHdtciHytTV+aggTLt5fj/1zYFw8FutUGXI4XrmC3KlDQ1etqmX0dwCS64GdpC +BCA/Fsw5G/iYqZApkKb4d71ftULObmEQy3G8VhLSpNUzDuDgHfP2wWniX6pFZokUu6GHws +t3NStX3SgReG+yuZ/vqFgDmijW/QtreL6HcjA2dysav07BkXEroaP+fA7fltK8MybKNAN4 +uHt8I4kZrPwwV2w1EllyZEdvwIa6oe0gTjHgmN0ijYshcTFS1RNnvtauxZ02LkpZVyEPDW +VFQKTB+HICqXyZ+pshAAABAHleerfKzAyvr383dCNjYpVCvRHZaqpm63gARf5vkh4599Gp +CuvMYxwq3z/Q9avtAJn92Libp1aWBOtGwhh7v8py42agNj52ytk8DeQRwKngmHQoyVJ3DG +y5azutxF/JV0/bZwFvgeFhNrhG6ilOmCvMcMiaHidffXKdeo1f4nCbv9aj4S18ehEcV/zp +uvHfgpz7K4I4eqBKQTqlCa1/Zle0tvZuk/PVnJUu8Qd3e/ZVWBVa/OG54MElbpYS76kGPw +A1FTy9CAUujYqtEW1OSoSjQB3DIRkhExowtuaeNu+UrT4sqA713/SVODUPRciOCyoQvfXm +vJA+HEWZwhh5JNgAAAEBAM1wwERBlJ7y9C1PARp35LHM3e2iBnROdQ45g4nzyLR6Z8k39z +8AoToiJhnO7fkuobY+b2Pvs9ncWSRtapNzXBz7tanMGIZoLAt1+2f1s8TM5dKTHNdhZpgQ +vxy5TwkxqII4d9CNyfIxyyQkGSTl6QRVFGP5mvengfEpSL9n7S5RFjr0X1Lf2Pjrjkdwud +DCiD/OtyTkfYL0zl0c1ezuc6rN6AX+3lhK88v9xQQcSYcd2s9qQjjccL5Onaio6e9VgSiM +gSehvmLn7FPYOEajEQ7bLblqoSItz5r9EcfeE4eUBzaZHJDZ5qF96+cneIr+26H1UEfsTw +/GGxJzlfW2b2UAAAEBAMJFhE16Ek4iLKy0gQRJArVvbathgKJBz+CJLSKpX8N++34Vs/tZ +oF7t4FF59OK/wghAPDTDv1q2MyUpIlpvIzdNE7mZzChM6aVXkKHKJfOxEFCnP2c52e4Lm1 +0LRyL2JSUB9e9s728ORCAW3LEm58UsPVkEV1DwvQ45xHf7jOhiHfLTA7sDt6ram/cXdP49 +WgCAR03bd2vvQlvMWnKnwkLQd8CpR6FGe0CfvWrobHaPs0jKxPKij0gi3GY27EvXH11h01 +fEAc4ag4iC1NEhyzQbWDrP6evoremWchYhNKmXyw+P5vEAPgr/OxmYJflu6f4FhVQzW9d9 +E5rOblFvb8sAAAAJcGFsb0BwZXBlAQI= +-----END OPENSSH PRIVATE KEY----- diff --git a/terranix/tinc-test/sshkey.pub b/terranix/tinc-test/sshkey.pub new file mode 100644 index 0000000..4e67478 --- /dev/null +++ b/terranix/tinc-test/sshkey.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb5ztD3BvAHSOk+fac6Q4c8uvZUJWLmchMWPz87pw6lRyyCyDX/lhs9V6IapvMvN3Z6jHCl7H5Zyn6gSAk78fVPY0/aeexGqxzNtxlcABOcd6BrreoAnBb4EObLCNkVYCBQHlVJdRuLCpXepS/nltc6q29jR/it07y1BehaOKkbP/Xo39jrqWhQkfvBvjVdKW6jgVk5Gwry7meHrbwS04fyTUcMzXx9KmenVnNaUEs/FITf3f/k5+0miHMXY3u7F4Ct3fUjkfg8sEEVLLRmHSacozu7BsLI/EUjWQODAYHPc/m0GLSnE2MCu+q/POfiHOfTaOx/rD8x7XQN6zrNEDPBgqv8+Tla9WeuZtlDKK9BW/k7W790SbsIj8Ii4kDotk8DYncg2+FWXxb6+qyX84p96Swkm/eyg/4WiZzLY2iQ2Y6ZJ2XvS5N9wCSB+5GsJC8OVYJLohBqd2O5oOh6ovK7UwDPxF4o37IMwfn1D/4f5NZ/Uwcbecn4l/Jw5wsUn65yLaRqYJ9VlrnSbtPOkJWqOB0Hs9SmRxpOVAf6wnuLgN1vPv7Fq68V1V0AmO0DTd5MalXbFwr4fNm+FxmDkAKhhiDmy+BlRrOjQFzV/IrZqrAcYcTPtfx13UQGm4hC2+zCVzamQgWKzeE1DjSp17fLi9DHj3q4uPsTRQzM8IgFw== palo@pepe