fiddeling around with tinc and make it work only on sterni
parent
987f7704a5
commit
4b9cfdcc6e
16
flake.lock
16
flake.lock
|
@ -19,21 +19,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"cluster-module": {
|
||||
"locked": {
|
||||
"lastModified": 1635790675,
|
||||
"narHash": "sha256-hWwS/sX46dEIw+swRfB8KZq0T/gDpryswTkZy5n0BAc=",
|
||||
"owner": "mrvandalo",
|
||||
"repo": "module.cluster",
|
||||
"rev": "299f5e9f4d9faa2abce40ae853601e11eecd7383",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mrvandalo",
|
||||
"repo": "module.cluster",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"colmena": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -895,7 +880,6 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"cluster-module": "cluster-module",
|
||||
"colmena": "colmena",
|
||||
"doom-emacs-nix": "doom-emacs-nix",
|
||||
"emacs-overlay": "emacs-overlay_2",
|
||||
|
|
16
flake.nix
16
flake.nix
|
@ -42,10 +42,10 @@
|
|||
url = "github:mrvandalo/home-manager-utils";
|
||||
inputs.home-manager.follows = "home-manager";
|
||||
};
|
||||
cluster-module = {
|
||||
url = "github:mrvandalo/module.cluster";
|
||||
#url = "git+file:///home/palo/dev/nixos/module.cluster";
|
||||
};
|
||||
#cluster-module = {
|
||||
# url = "github:mrvandalo/module.cluster";
|
||||
# #url = "git+file:///home/palo/dev/nixos/module.cluster";
|
||||
#};
|
||||
nixpkgs-fmt = {
|
||||
url = "github:nix-community/nixpkgs-fmt";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -75,7 +75,7 @@
|
|||
|
||||
outputs =
|
||||
{ self
|
||||
, cluster-module
|
||||
#, cluster-module
|
||||
, colmena
|
||||
, doom-emacs-nix
|
||||
, emacs-overlay
|
||||
|
@ -170,7 +170,7 @@
|
|||
];
|
||||
imports = [
|
||||
./nixos/machines/${name}/configuration.nix
|
||||
cluster-module.nixosModules.tinc
|
||||
#cluster-module.nixosModules.tinc
|
||||
(sopsModule name)
|
||||
home-manager.nixosModules.home-manager
|
||||
permown.nixosModules.permown
|
||||
|
@ -181,7 +181,9 @@
|
|||
|
||||
sterni = { name, nodes, pkgs, ... }: {
|
||||
deployment.allowLocalDeployment = true;
|
||||
deployment.targetHost = "${name}.private";
|
||||
#deployment.targetHost = "${name}.private";
|
||||
#deployment.targetHost = "10.23.42.24";
|
||||
deployment.targetHost = "localhost";
|
||||
deployment.tags = [ "desktop" "online" "private" ];
|
||||
imports = [
|
||||
grocy-scanner.nixosModule
|
||||
|
|
|
@ -22,43 +22,43 @@
|
|||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
"sternchen.secret" = {
|
||||
hostNames = [
|
||||
"sternchen.secret"
|
||||
config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
|
||||
};
|
||||
"sterni.private" = {
|
||||
hostNames = [
|
||||
"sterni.private"
|
||||
"sterni.secret"
|
||||
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
|
||||
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"pepe.private" = {
|
||||
hostNames = [
|
||||
"pepe.private"
|
||||
"pepe.lan"
|
||||
config.module.cluster.services.tinc.private.hosts.pepe.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
|
||||
};
|
||||
"bobi.private" = {
|
||||
hostNames = [
|
||||
"bobi.private"
|
||||
config.module.cluster.services.tinc.private.hosts.bobi.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
|
||||
};
|
||||
"mobi.private" = {
|
||||
hostNames = [
|
||||
"mobi.private"
|
||||
config.module.cluster.services.tinc.private.hosts.mobi.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
};
|
||||
#"sternchen.secret" = {
|
||||
# hostNames = [
|
||||
# "sternchen.secret"
|
||||
# config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
|
||||
#};
|
||||
#"sterni.private" = {
|
||||
# hostNames = [
|
||||
# "sterni.private"
|
||||
# "sterni.secret"
|
||||
# config.module.cluster.services.tinc.private.hosts.sterni.tincIp
|
||||
# config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
#};
|
||||
#"pepe.private" = {
|
||||
# hostNames = [
|
||||
# "pepe.private"
|
||||
# "pepe.lan"
|
||||
# config.module.cluster.services.tinc.private.hosts.pepe.tincIp
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
|
||||
#};
|
||||
#"bobi.private" = {
|
||||
# hostNames = [
|
||||
# "bobi.private"
|
||||
# config.module.cluster.services.tinc.private.hosts.bobi.tincIp
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
|
||||
#};
|
||||
#"mobi.private" = {
|
||||
# hostNames = [
|
||||
# "mobi.private"
|
||||
# config.module.cluster.services.tinc.private.hosts.mobi.tincIp
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
#};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{
|
||||
|
||||
imports = [
|
||||
./private.nix
|
||||
./retiolum.nix
|
||||
./secret.nix
|
||||
#./private.nix
|
||||
#./retiolum.nix
|
||||
#./secret.nix
|
||||
];
|
||||
|
||||
# keys for secret and private tinc network
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
sops.secrets.tinc_rsa_key = { };
|
||||
#sops.secrets.tinc_rsa_key = { };
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -59,28 +59,28 @@
|
|||
|
||||
# nginx publishing
|
||||
# ----------------
|
||||
services.nginx.streamConfig = ''
|
||||
# configure neo4j bolt port
|
||||
server {
|
||||
allow 192.168.0.0/16; # allow private ip range class c
|
||||
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
deny all;
|
||||
listen 7687;
|
||||
proxy_pass localhost:17687;
|
||||
}
|
||||
'';
|
||||
#services.nginx.streamConfig = ''
|
||||
# # configure neo4j bolt port
|
||||
# server {
|
||||
# allow 192.168.0.0/16; # allow private ip range class c
|
||||
# allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
# deny all;
|
||||
# listen 7687;
|
||||
# proxy_pass localhost:17687;
|
||||
# }
|
||||
#'';
|
||||
|
||||
services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
|
||||
serverAliases = [ config.networking.hostName ];
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
allow 192.168.0.0/16; # allow private ip range class c
|
||||
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
deny all;
|
||||
'';
|
||||
proxyPass = "http://localhost:7474";
|
||||
};
|
||||
};
|
||||
#services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
|
||||
# serverAliases = [ config.networking.hostName ];
|
||||
# locations."/" = {
|
||||
# extraConfig = ''
|
||||
# allow 192.168.0.0/16; # allow private ip range class c
|
||||
# allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
# deny all;
|
||||
# '';
|
||||
# proxyPass = "http://localhost:7474";
|
||||
# };
|
||||
#};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 7687 ];
|
||||
#networking.firewall.allowedUDPPorts = [ 80 ];
|
||||
|
|
|
@ -14,25 +14,25 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
port = 5656;
|
||||
addr =
|
||||
config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
|
||||
auth.anonymous = {
|
||||
enable = true;
|
||||
org_role = "Editor";
|
||||
org_name = "AWESOME";
|
||||
};
|
||||
provision = {
|
||||
enable = true;
|
||||
datasources = [{
|
||||
type = "prometheus";
|
||||
isDefault = true;
|
||||
name = "Prometheus Workhorse";
|
||||
url = "http://workhorse.private:9090";
|
||||
}];
|
||||
};
|
||||
};
|
||||
#services.grafana = {
|
||||
# enable = true;
|
||||
# port = 5656;
|
||||
# addr =
|
||||
# config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
|
||||
# auth.anonymous = {
|
||||
# enable = true;
|
||||
# org_role = "Editor";
|
||||
# org_name = "AWESOME";
|
||||
# };
|
||||
# provision = {
|
||||
# enable = true;
|
||||
# datasources = [{
|
||||
# type = "prometheus";
|
||||
# isDefault = true;
|
||||
# name = "Prometheus Workhorse";
|
||||
# url = "http://workhorse.private:9090";
|
||||
# }];
|
||||
# };
|
||||
#};
|
||||
|
||||
}
|
||||
|
|
|
@ -290,20 +290,20 @@ in
|
|||
|
||||
# curl -H "Host: transmission.robi.private" https://robi.private/ < will work
|
||||
# curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"transmission.${config.networking.hostName}.private" = {
|
||||
extraConfig = ''
|
||||
allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
deny all;
|
||||
'';
|
||||
locations."/" = {
|
||||
proxyPass = "http://${containerAddress}:${toString uiPort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
#services.nginx = {
|
||||
# enable = true;
|
||||
# recommendedProxySettings = true;
|
||||
# virtualHosts = {
|
||||
# "transmission.${config.networking.hostName}.private" = {
|
||||
# extraConfig = ''
|
||||
# allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
# deny all;
|
||||
# '';
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://${containerAddress}:${toString uiPort}";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
#};
|
||||
|
||||
}
|
||||
|
|
|
@ -168,20 +168,20 @@ in
|
|||
|
||||
# curl -H "Host: transmission.robi.private" https://robi.private/ < will work
|
||||
# curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"transmission2.${config.networking.hostName}.private" = {
|
||||
extraConfig = ''
|
||||
allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
deny all;
|
||||
'';
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString uiPort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
#services.nginx = {
|
||||
# enable = true;
|
||||
# recommendedProxySettings = true;
|
||||
# virtualHosts = {
|
||||
# "transmission2.${config.networking.hostName}.private" = {
|
||||
# extraConfig = ''
|
||||
# allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
# deny all;
|
||||
# '';
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString uiPort}";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
#};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,33 +1,78 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let ipv4 = "10.23.42.24";
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
module.cluster.services.tinc = {
|
||||
# module.cluster.services.tinc = {
|
||||
# "private" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# connectTo = [ "robi" ];
|
||||
# };
|
||||
# "retiolum" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# };
|
||||
# "secret" = {
|
||||
# enable = true;
|
||||
# openPort = true;
|
||||
# connectTo = [ "robi" ];
|
||||
# };
|
||||
# };
|
||||
|
||||
#sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
#sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
|
||||
#users.users."tinc.retiolum".group = "tinc.retiolum";
|
||||
#users.groups."tinc.retiolum" = { };
|
||||
|
||||
#users.users."tinc.secret".group = "tinc.secret";
|
||||
#users.groups."tinc.secret" = { };
|
||||
|
||||
|
||||
services.tinc.networks = {
|
||||
"private" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
connectTo = [ "robi" ];
|
||||
};
|
||||
"retiolum" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
};
|
||||
"secret" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
connectTo = [ "robi" ];
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
hostSettings = {
|
||||
mobi = {
|
||||
subnets = [{ address = "10.23.42.23"; }];
|
||||
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = "10.23.42.24"; }];
|
||||
settings.Ed25519PublicKey = "Hm+YwSe6XiRNQD4HfJPgTB8UFVMyVi0vy+3ofMnW6jD";
|
||||
};
|
||||
bobi = {
|
||||
subnets = [{ address = "10.23.42.25"; }];
|
||||
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
|
||||
};
|
||||
pepe = {
|
||||
subnets = [{ address = "10.23.42.26"; }];
|
||||
settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; }];
|
||||
subnets = [{ address = "10.23.42.111"; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
|
||||
users.users."tinc.retiolum".group = "tinc.retiolum";
|
||||
users.groups."tinc.retiolum" = { };
|
||||
|
||||
users.users."tinc.secret".group = "tinc.secret";
|
||||
users.groups."tinc.secret" = { };
|
||||
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."private".extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.private
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
#<cleverca22/qemu.nix>
|
||||
|
||||
./grub.nix
|
||||
./networking-qos.nix
|
||||
#./networking-qos.nix
|
||||
./nginx-landingpage.nix
|
||||
./nginx.nix
|
||||
./packages.nix
|
||||
|
|
|
@ -51,10 +51,10 @@
|
|||
|
||||
# extra hosts
|
||||
# /etc/hosts
|
||||
networking.extraHosts = ''
|
||||
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
|
||||
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
|
||||
'';
|
||||
#networking.extraHosts = ''
|
||||
# ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
|
||||
# ${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
|
||||
#'';
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -39,9 +39,9 @@
|
|||
tincOutput = kbits (config.configuration.fireqos.output * 0.7);
|
||||
useBalancedForExperimenting = false;
|
||||
|
||||
tincPorts =
|
||||
lib.mapAttrsToList (name: configuration: toString configuration.port)
|
||||
config.module.cluster.services.tinc;
|
||||
#tincPorts =
|
||||
# lib.mapAttrsToList (name: configuration: toString configuration.port)
|
||||
# config.module.cluster.services.tinc;
|
||||
|
||||
in
|
||||
{
|
||||
|
@ -63,8 +63,8 @@
|
|||
class http commit 80%
|
||||
match tcp port 80,443
|
||||
|
||||
class tinc commit 80%
|
||||
match port ${lib.concatStringsSep "," tincPorts}
|
||||
#class tinc commit 80%
|
||||
# match port ${lib.concatStringsSep "," tincPorts}
|
||||
|
||||
class surfing commit 30%
|
||||
match tcp sports 0:1023 # include TCP traffic from port 0-1023
|
||||
|
|
|
@ -5,18 +5,18 @@
|
|||
locations."/" = {
|
||||
root = pkgs.landingpage.override {
|
||||
jsonConfig = [
|
||||
{ title = "System Links"; }
|
||||
{
|
||||
text = "Syncthings";
|
||||
items = map
|
||||
({ name, host ? "${name}.private", ... }: {
|
||||
label = name;
|
||||
href = "http://${host}:8384/";
|
||||
image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
|
||||
})
|
||||
(map (name: { inherit name; }) (lib.attrNames
|
||||
config.module.cluster.services.tinc."private".hosts));
|
||||
}
|
||||
#{ title = "System Links"; }
|
||||
#{
|
||||
# text = "Syncthings";
|
||||
# items = map
|
||||
# ({ name, host ? "${name}.private", ... }: {
|
||||
# label = name;
|
||||
# href = "http://${host}:8384/";
|
||||
# image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
|
||||
# })
|
||||
# (map (name: { inherit name; }) (lib.attrNames
|
||||
# config.module.cluster.services.tinc."private".hosts));
|
||||
#}
|
||||
{
|
||||
text = "netdata";
|
||||
items = map
|
||||
|
|
|
@ -3,12 +3,12 @@
|
|||
with lib;
|
||||
|
||||
{
|
||||
services.dnsmasq = {
|
||||
enable = mkDefault true;
|
||||
extraConfig = ''
|
||||
${concatStringsSep "\n"
|
||||
(flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
|
||||
(name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
|
||||
'';
|
||||
};
|
||||
# services.dnsmasq = {
|
||||
# enable = mkDefault true;
|
||||
# extraConfig = ''
|
||||
# ${concatStringsSep "\n"
|
||||
# (flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
|
||||
# (name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
|
||||
# '';
|
||||
# };
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue