fiddeling around with tinc and make it work only on sterni

2023-01-26 21:29:47 +01:00 · 2023-01-26 21:29:47 +01:00 · 4b9cfdcc6e
parent 987f7704a5
commit 4b9cfdcc6e
14 changed files with 218 additions and 187 deletions
--- a/flake.lock
+++ b/flake.lock
@ -19,21 +19,6 @@
        "type": "github"
      }
    },
-    "cluster-module": {
-      "locked": {
-        "lastModified": 1635790675,
-        "narHash": "sha256-hWwS/sX46dEIw+swRfB8KZq0T/gDpryswTkZy5n0BAc=",
-        "owner": "mrvandalo",
-        "repo": "module.cluster",
-        "rev": "299f5e9f4d9faa2abce40ae853601e11eecd7383",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mrvandalo",
-        "repo": "module.cluster",
-        "type": "github"
-      }
-    },
    "colmena": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -895,7 +880,6 @@
    },
    "root": {
      "inputs": {
-        "cluster-module": "cluster-module",
        "colmena": "colmena",
        "doom-emacs-nix": "doom-emacs-nix",
        "emacs-overlay": "emacs-overlay_2",
--- a/flake.nix
+++ b/flake.nix
@ -42,10 +42,10 @@
      url = "github:mrvandalo/home-manager-utils";
      inputs.home-manager.follows = "home-manager";
    };
-    cluster-module = {
-      url = "github:mrvandalo/module.cluster";
-      #url = "git+file:///home/palo/dev/nixos/module.cluster";
-    };
+    #cluster-module = {
+    #  url = "github:mrvandalo/module.cluster";
+    #  #url = "git+file:///home/palo/dev/nixos/module.cluster";
+    #};
    nixpkgs-fmt = {
      url = "github:nix-community/nixpkgs-fmt";
      inputs.nixpkgs.follows = "nixpkgs";
@ -75,7 +75,7 @@

  outputs =
    { self
-    , cluster-module
+      #, cluster-module
    , colmena
    , doom-emacs-nix
    , emacs-overlay
@ -170,7 +170,7 @@
            ];
            imports = [
              ./nixos/machines/${name}/configuration.nix
-              cluster-module.nixosModules.tinc
+              #cluster-module.nixosModules.tinc
              (sopsModule name)
              home-manager.nixosModules.home-manager
              permown.nixosModules.permown
@ -181,7 +181,9 @@

          sterni = { name, nodes, pkgs, ... }: {
            deployment.allowLocalDeployment = true;
-            deployment.targetHost = "${name}.private";
+            #deployment.targetHost = "${name}.private";
+            #deployment.targetHost = "10.23.42.24";
+            deployment.targetHost = "localhost";
            deployment.tags = [ "desktop" "online" "private" ];
            imports = [
              grocy-scanner.nixosModule
--- a/nixos/components/network/sshd/known-hosts-private.nix
+++ b/nixos/components/network/sshd/known-hosts-private.nix
@ -22,43 +22,43 @@
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
    };
-    "sternchen.secret" = {
-      hostNames = [
-        "sternchen.secret"
-        config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
-    };
-    "sterni.private" = {
-      hostNames = [
-        "sterni.private"
-        "sterni.secret"
-        config.module.cluster.services.tinc.private.hosts.sterni.tincIp
-        config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
-    };
-    "pepe.private" = {
-      hostNames = [
-        "pepe.private"
-        "pepe.lan"
-        config.module.cluster.services.tinc.private.hosts.pepe.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
-    };
-    "bobi.private" = {
-      hostNames = [
-        "bobi.private"
-        config.module.cluster.services.tinc.private.hosts.bobi.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
-    };
-    "mobi.private" = {
-      hostNames = [
-        "mobi.private"
-        config.module.cluster.services.tinc.private.hosts.mobi.tincIp
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
-    };
+    #"sternchen.secret" = {
+    #  hostNames = [
+    #    "sternchen.secret"
+    #    config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
+    #  ];
+    #  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
+    #};
+    #"sterni.private" = {
+    #  hostNames = [
+    #    "sterni.private"
+    #    "sterni.secret"
+    #    config.module.cluster.services.tinc.private.hosts.sterni.tincIp
+    #    config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
+    #  ];
+    #  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    #};
+    #"pepe.private" = {
+    #  hostNames = [
+    #    "pepe.private"
+    #    "pepe.lan"
+    #    config.module.cluster.services.tinc.private.hosts.pepe.tincIp
+    #  ];
+    #  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
+    #};
+    #"bobi.private" = {
+    #  hostNames = [
+    #    "bobi.private"
+    #    config.module.cluster.services.tinc.private.hosts.bobi.tincIp
+    #  ];
+    #  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
+    #};
+    #"mobi.private" = {
+    #  hostNames = [
+    #    "mobi.private"
+    #    config.module.cluster.services.tinc.private.hosts.mobi.tincIp
+    #  ];
+    #  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
+    #};
  };
 }
--- a/nixos/components/network/tinc/default.nix
+++ b/nixos/components/network/tinc/default.nix
@ -1,14 +1,14 @@
 {

  imports = [
-    ./private.nix
-    ./retiolum.nix
-    ./secret.nix
+    #./private.nix
+    #./retiolum.nix
+    #./secret.nix
  ];

  # keys for secret and private tinc network
  sops.secrets.tinc_ed25519_key = { };
-  sops.secrets.tinc_rsa_key = { };
+  #sops.secrets.tinc_rsa_key = { };

 }

--- a/nixos/machines/pepe/neo4j.nix
+++ b/nixos/machines/pepe/neo4j.nix
@ -59,28 +59,28 @@

  # nginx publishing
  # ----------------
-  services.nginx.streamConfig = ''
-    # configure neo4j bolt port
-    server {
-        allow 192.168.0.0/16; # allow private ip range class c
-        allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
-        deny all;
-        listen 7687;
-        proxy_pass localhost:17687;
-    }
-  '';
+  #services.nginx.streamConfig = ''
+  #  # configure neo4j bolt port
+  #  server {
+  #      allow 192.168.0.0/16; # allow private ip range class c
+  #      allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
+  #      deny all;
+  #      listen 7687;
+  #      proxy_pass localhost:17687;
+  #  }
+  #'';

-  services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
-    serverAliases = [ config.networking.hostName ];
-    locations."/" = {
-      extraConfig = ''
-        allow 192.168.0.0/16; # allow private ip range class c
-        allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
-        deny all;
-      '';
-      proxyPass = "http://localhost:7474";
-    };
-  };
+  #services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
+  #  serverAliases = [ config.networking.hostName ];
+  #  locations."/" = {
+  #    extraConfig = ''
+  #      allow 192.168.0.0/16; # allow private ip range class c
+  #      allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
+  #      deny all;
+  #    '';
+  #    proxyPass = "http://localhost:7474";
+  #  };
+  #};

  networking.firewall.allowedTCPPorts = [ 80 7687 ];
  #networking.firewall.allowedUDPPorts = [ 80 ];
--- a/nixos/machines/robi/grafana.nix
+++ b/nixos/machines/robi/grafana.nix
@ -14,25 +14,25 @@
    };
  };

-  services.grafana = {
-    enable = true;
-    port = 5656;
-    addr =
-      config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
-    auth.anonymous = {
-      enable = true;
-      org_role = "Editor";
-      org_name = "AWESOME";
-    };
-    provision = {
-      enable = true;
-      datasources = [{
-        type = "prometheus";
-        isDefault = true;
-        name = "Prometheus Workhorse";
-        url = "http://workhorse.private:9090";
-      }];
-    };
-  };
+  #services.grafana = {
+  #  enable = true;
+  #  port = 5656;
+  #  addr =
+  #    config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
+  #  auth.anonymous = {
+  #    enable = true;
+  #    org_role = "Editor";
+  #    org_name = "AWESOME";
+  #  };
+  #  provision = {
+  #    enable = true;
+  #    datasources = [{
+  #      type = "prometheus";
+  #      isDefault = true;
+  #      name = "Prometheus Workhorse";
+  #      url = "http://workhorse.private:9090";
+  #    }];
+  #  };
+  #};

 }
--- a/nixos/machines/robi/transmission.nix
+++ b/nixos/machines/robi/transmission.nix
@ -290,20 +290,20 @@ in

  # curl -H "Host: transmission.robi.private" https://robi.private/  < will work
  # curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "transmission.${config.networking.hostName}.private" = {
-        extraConfig = ''
-          allow ${config.module.cluster.services.tinc.private.networkSubnet};
-          deny all;
-        '';
-        locations."/" = {
-          proxyPass = "http://${containerAddress}:${toString uiPort}";
-        };
-      };
-    };
-  };
+  #services.nginx = {
+  #  enable = true;
+  #  recommendedProxySettings = true;
+  #  virtualHosts = {
+  #    "transmission.${config.networking.hostName}.private" = {
+  #      extraConfig = ''
+  #        allow ${config.module.cluster.services.tinc.private.networkSubnet};
+  #        deny all;
+  #      '';
+  #      locations."/" = {
+  #        proxyPass = "http://${containerAddress}:${toString uiPort}";
+  #      };
+  #    };
+  #  };
+  #};

 }
--- a/nixos/machines/robi/transmission2.nix
+++ b/nixos/machines/robi/transmission2.nix
@ -168,20 +168,20 @@ in

  # curl -H "Host: transmission.robi.private" https://robi.private/  < will work
  # curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "transmission2.${config.networking.hostName}.private" = {
-        extraConfig = ''
-          allow ${config.module.cluster.services.tinc.private.networkSubnet};
-          deny all;
-        '';
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString uiPort}";
-        };
-      };
-    };
-  };
+  #services.nginx = {
+  #  enable = true;
+  #  recommendedProxySettings = true;
+  #  virtualHosts = {
+  #    "transmission2.${config.networking.hostName}.private" = {
+  #      extraConfig = ''
+  #        allow ${config.module.cluster.services.tinc.private.networkSubnet};
+  #        deny all;
+  #      '';
+  #      locations."/" = {
+  #        proxyPass = "http://127.0.0.1:${toString uiPort}";
+  #      };
+  #    };
+  #  };
+  #};

 }
--- a/nixos/machines/sterni/tinc.nix
+++ b/nixos/machines/sterni/tinc.nix
@ -1,33 +1,78 @@
 { config, lib, pkgs, ... }:

 with lib;
+let ipv4 = "10.23.42.24";
+in

 {

-  module.cluster.services.tinc = {
+  # module.cluster.services.tinc = {
+  #   "private" = {
+  #     enable = true;
+  #     openPort = true;
+  #     connectTo = [ "robi" ];
+  #   };
+  #   "retiolum" = {
+  #     enable = true;
+  #     openPort = true;
+  #   };
+  #   "secret" = {
+  #     enable = true;
+  #     openPort = true;
+  #     connectTo = [ "robi" ];
+  #   };
+  # };
+
+  #sops.secrets.tinc_retiolum_ed25519_key = { };
+  #sops.secrets.tinc_retiolum_rsa_key = { };
+
+  #users.users."tinc.retiolum".group = "tinc.retiolum";
+  #users.groups."tinc.retiolum" = { };
+
+  #users.users."tinc.secret".group = "tinc.secret";
+  #users.groups."tinc.secret" = { };
+
+
+  services.tinc.networks = {
    "private" = {
-      enable = true;
-      openPort = true;
-      connectTo = [ "robi" ];
-    };
-    "retiolum" = {
-      enable = true;
-      openPort = true;
-    };
-    "secret" = {
-      enable = true;
-      openPort = true;
-      connectTo = [ "robi" ];
+      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      hostSettings = {
+        mobi = {
+          subnets = [{ address = "10.23.42.23"; }];
+          settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
+        };
+        sterni = {
+          subnets = [{ address = "10.23.42.24"; }];
+          settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
+        };
+        bobi = {
+          subnets = [{ address = "10.23.42.25"; }];
+          settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
+        };
+        pepe = {
+          subnets = [{ address = "10.23.42.26"; }];
+          settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
+        };
+        robi = {
+          addresses = [{ address = "144.76.13.147"; }];
+          subnets = [{ address = "10.23.42.111"; }];
+          settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
+        };
+      };
    };
  };

-  sops.secrets.tinc_retiolum_ed25519_key = { };
-  sops.secrets.tinc_retiolum_rsa_key = { };
-
-  users.users."tinc.retiolum".group = "tinc.retiolum";
-  users.groups."tinc.retiolum" = { };
-
-  users.users."tinc.secret".group = "tinc.secret";
-  users.groups."tinc.secret" = { };

+  systemd.network.enable = true;
+  systemd.network.networks."private".extraConfig = ''
+    [Match]
+    Name = tinc.private
+    [Link]
+    # tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
+    MTUBytes=1377
+    [Network]
+    ${optionalString (ipv4 != null) "Address=${ipv4}/24"}
+    RequiredForOnline = no
+    LinkLocalAddressing = no
+  '';
 }
--- a/nixos/system/all/default.nix
+++ b/nixos/system/all/default.nix
@ -14,7 +14,7 @@
    #<cleverca22/qemu.nix>

    ./grub.nix
-    ./networking-qos.nix
+    #./networking-qos.nix
    ./nginx-landingpage.nix
    ./nginx.nix
    ./packages.nix
--- a/nixos/system/all/defaults.nix
+++ b/nixos/system/all/defaults.nix
@ -51,10 +51,10 @@

  # extra hosts
  # /etc/hosts
-  networking.extraHosts = ''
-    ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
-    ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
-  '';
+  #networking.extraHosts = ''
+  #  ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
+  #  ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
+  #'';


 }
--- a/nixos/system/all/networking-qos.nix
+++ b/nixos/system/all/networking-qos.nix
@ -39,9 +39,9 @@
      tincOutput = kbits (config.configuration.fireqos.output * 0.7);
      useBalancedForExperimenting = false;

-      tincPorts =
-        lib.mapAttrsToList (name: configuration: toString configuration.port)
-          config.module.cluster.services.tinc;
+      #tincPorts =
+      #  lib.mapAttrsToList (name: configuration: toString configuration.port)
+      #    config.module.cluster.services.tinc;

    in
    {
@ -63,8 +63,8 @@
        class http commit 80%
          match tcp port 80,443

-        class tinc commit 80%
-          match port ${lib.concatStringsSep "," tincPorts}
+        #class tinc commit 80%
+        #  match port ${lib.concatStringsSep "," tincPorts}

        class surfing commit 30%
          match tcp sports 0:1023   # include TCP traffic from port 0-1023
--- a/nixos/system/all/nginx-landingpage.nix
+++ b/nixos/system/all/nginx-landingpage.nix
@ -5,18 +5,18 @@
    locations."/" = {
      root = pkgs.landingpage.override {
        jsonConfig = [
-          { title = "System Links"; }
-          {
-            text = "Syncthings";
-            items = map
-              ({ name, host ? "${name}.private", ... }: {
-                label = name;
-                href = "http://${host}:8384/";
-                image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
-              })
-              (map (name: { inherit name; }) (lib.attrNames
-                config.module.cluster.services.tinc."private".hosts));
-          }
+          #{ title = "System Links"; }
+          #{
+          #  text = "Syncthings";
+          #  items = map
+          #    ({ name, host ? "${name}.private", ... }: {
+          #      label = name;
+          #      href = "http://${host}:8384/";
+          #      image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
+          #    })
+          #    (map (name: { inherit name; }) (lib.attrNames
+          #      config.module.cluster.services.tinc."private".hosts));
+          #}
          {
            text = "netdata";
            items = map
--- a/nixos/system/desktop/dnsmasq.nix
+++ b/nixos/system/desktop/dnsmasq.nix
@ -3,12 +3,12 @@
 with lib;

 {
-  services.dnsmasq = {
-    enable = mkDefault true;
-    extraConfig = ''
-      ${concatStringsSep "\n"
-      (flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
-        (name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
-    '';
-  };
+  #  services.dnsmasq = {
+  #    enable = mkDefault true;
+  #    extraConfig = ''
+  #      ${concatStringsSep "\n"
+  #      (flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
+  #        (name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
+  #    '';
+  #  };
 }