migrate to upstream tinc
parent
987f7704a5
commit
aa98cc770d
16
flake.lock
16
flake.lock
|
@ -19,21 +19,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"cluster-module": {
|
||||
"locked": {
|
||||
"lastModified": 1635790675,
|
||||
"narHash": "sha256-hWwS/sX46dEIw+swRfB8KZq0T/gDpryswTkZy5n0BAc=",
|
||||
"owner": "mrvandalo",
|
||||
"repo": "module.cluster",
|
||||
"rev": "299f5e9f4d9faa2abce40ae853601e11eecd7383",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mrvandalo",
|
||||
"repo": "module.cluster",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"colmena": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -895,7 +880,6 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"cluster-module": "cluster-module",
|
||||
"colmena": "colmena",
|
||||
"doom-emacs-nix": "doom-emacs-nix",
|
||||
"emacs-overlay": "emacs-overlay_2",
|
||||
|
|
|
@ -42,10 +42,6 @@
|
|||
url = "github:mrvandalo/home-manager-utils";
|
||||
inputs.home-manager.follows = "home-manager";
|
||||
};
|
||||
cluster-module = {
|
||||
url = "github:mrvandalo/module.cluster";
|
||||
#url = "git+file:///home/palo/dev/nixos/module.cluster";
|
||||
};
|
||||
nixpkgs-fmt = {
|
||||
url = "github:nix-community/nixpkgs-fmt";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -75,7 +71,6 @@
|
|||
|
||||
outputs =
|
||||
{ self
|
||||
, cluster-module
|
||||
, colmena
|
||||
, doom-emacs-nix
|
||||
, emacs-overlay
|
||||
|
@ -170,7 +165,6 @@
|
|||
];
|
||||
imports = [
|
||||
./nixos/machines/${name}/configuration.nix
|
||||
cluster-module.nixosModules.tinc
|
||||
(sopsModule name)
|
||||
home-manager.nixosModules.home-manager
|
||||
permown.nixosModules.permown
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
# generated by updateSshKeys.sh
|
||||
{ config, lib, ... }: {
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
|
@ -22,43 +21,5 @@
|
|||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
"sternchen.secret" = {
|
||||
hostNames = [
|
||||
"sternchen.secret"
|
||||
config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
|
||||
};
|
||||
"sterni.private" = {
|
||||
hostNames = [
|
||||
"sterni.private"
|
||||
"sterni.secret"
|
||||
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
|
||||
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"pepe.private" = {
|
||||
hostNames = [
|
||||
"pepe.private"
|
||||
"pepe.lan"
|
||||
config.module.cluster.services.tinc.private.hosts.pepe.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
|
||||
};
|
||||
"bobi.private" = {
|
||||
hostNames = [
|
||||
"bobi.private"
|
||||
config.module.cluster.services.tinc.private.hosts.bobi.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
|
||||
};
|
||||
"mobi.private" = {
|
||||
hostNames = [
|
||||
"mobi.private"
|
||||
config.module.cluster.services.tinc.private.hosts.mobi.tincIp
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,14 +1,37 @@
|
|||
{ lib, config, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
imports = [
|
||||
./private.nix
|
||||
./retiolum.nix
|
||||
./secret.nix
|
||||
options.tinc = {
|
||||
private = {
|
||||
enable = mkEnableOption "private tinc setup";
|
||||
ipv4 = mkOption { type = types.str; };
|
||||
subnet = mkOption {
|
||||
type = types.str;
|
||||
default = "10.23.42.0/24";
|
||||
};
|
||||
};
|
||||
secret = {
|
||||
enable = mkEnableOption "secret tinc setup";
|
||||
ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf config.tinc.private.enable (import ./private.nix {
|
||||
ipv4 = config.tinc.private.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
}))
|
||||
(mkIf config.tinc.secret.enable (import ./secret.nix {
|
||||
ipv4 = config.tinc.secret.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
}))
|
||||
];
|
||||
|
||||
# keys for secret and private tinc network
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
sops.secrets.tinc_rsa_key = { };
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -1,46 +1,100 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "tinc.private" ];
|
||||
|
||||
users.groups."tinc.private" = { };
|
||||
users.users."tinc.private" = {
|
||||
group = "tinc.private";
|
||||
isSystemUser = lib.mkDefault true;
|
||||
{ ipv4
|
||||
, ipv6
|
||||
, config
|
||||
, optionalString
|
||||
, concatStringsSep
|
||||
, mapAttrsToList
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
hosts = {
|
||||
mobi = "10.23.42.23";
|
||||
sterni = "10.23.42.24";
|
||||
bobi = "10.23.42.25";
|
||||
pepe = "10.23.42.26";
|
||||
robi = "10.23.42.111";
|
||||
};
|
||||
subDomains = {
|
||||
"transmission.robi" = hosts.robi;
|
||||
"transmission2.robi" = hosts.robi;
|
||||
};
|
||||
network = "private";
|
||||
in
|
||||
{
|
||||
networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
|
||||
|
||||
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
|
||||
module.cluster.services.tinc."private" = {
|
||||
networkSubnet = "10.23.42.0/24";
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
'';
|
||||
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
|
||||
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
|
||||
hosts = {
|
||||
pepe = {
|
||||
tincIp = "10.23.42.26";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
|
||||
};
|
||||
sterni = {
|
||||
tincIp = "10.23.42.24";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
|
||||
};
|
||||
mobi = {
|
||||
tincIp = "10.23.42.23";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
|
||||
};
|
||||
bobi = {
|
||||
tincIp = "10.23.42.25";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
|
||||
};
|
||||
robi = {
|
||||
realAddress = [ "144.76.13.147" ];
|
||||
tincIp = "10.23.42.111";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
interfaceType = "tap";
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
'';
|
||||
hostSettings = {
|
||||
mobi = {
|
||||
subnets = [{ address = hosts.mobi; }];
|
||||
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
|
||||
};
|
||||
bobi = {
|
||||
subnets = [{ address = hosts.bobi; }];
|
||||
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
|
||||
};
|
||||
pepe = {
|
||||
subnets = [{ address = hosts.pepe; }];
|
||||
settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; }];
|
||||
subnets = [{ address = hosts.robi; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks.${network}.extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.${network}
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
|
||||
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
"robi" = {
|
||||
hostNames = [ "robi.${network}" hosts.robi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
"sterni.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"pepe.${network}" = {
|
||||
hostNames = [ "pepe.${network}" hosts.pepe ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
|
||||
};
|
||||
"bobi.${network}" = {
|
||||
hostNames = [ "bobi.${network}" hosts.bobi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
|
||||
};
|
||||
"mobi.${network}" = {
|
||||
hostNames = [ "mobi.${network}" hosts.mobi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,33 +1,77 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ ipv4
|
||||
, ipv6
|
||||
, config
|
||||
, optionalString
|
||||
, concatStringsSep
|
||||
, mapAttrsToList
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
port = 721;
|
||||
hosts = {
|
||||
sternchen = "10.123.42.25";
|
||||
sterni = "10.123.42.24";
|
||||
robi = "10.123.42.123";
|
||||
};
|
||||
network = "secret";
|
||||
in
|
||||
{
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
|
||||
|
||||
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
|
||||
module.cluster.services.tinc."secret" = {
|
||||
networkSubnet = "10.123.42.0/24";
|
||||
port = 721;
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
AutoConnect = yes
|
||||
'';
|
||||
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
|
||||
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
|
||||
hosts = {
|
||||
sternchen = {
|
||||
tincIp = "10.123.42.25";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file;
|
||||
};
|
||||
sterni = {
|
||||
tincIp = "10.123.42.24";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
|
||||
};
|
||||
robi = {
|
||||
realAddress = [ "144.76.13.147" ];
|
||||
tincIp = "10.123.42.123";
|
||||
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
Port = ${toString port}
|
||||
'';
|
||||
hostSettings = {
|
||||
sternchen = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
|
||||
};
|
||||
robi = {
|
||||
addresses = [{ address = "144.76.13.147"; port = port; }];
|
||||
subnets = [{ address = hosts.robi; }];
|
||||
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks.${network}.extraConfig = ''
|
||||
[Match]
|
||||
Name = tinc.${network}
|
||||
[Link]
|
||||
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
|
||||
MTUBytes=1377
|
||||
[Network]
|
||||
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
|
||||
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
|
||||
RequiredForOnline = no
|
||||
LinkLocalAddressing = no
|
||||
'';
|
||||
|
||||
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
"sternchen.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
|
||||
};
|
||||
"sterni.${network}" = {
|
||||
hostNames = [ "sterni.${network}" hosts.sterni ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
|
||||
};
|
||||
"robi" = {
|
||||
hostNames = [ "robi.${network}" hosts.robi ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -53,13 +53,13 @@
|
|||
networking.dhcpcd.allowInterfaces = [ "enp0s25" ];
|
||||
|
||||
# nix-shell -p speedtest_cli --run speedtest
|
||||
configuration.fireqos = {
|
||||
enable = false;
|
||||
interface = "enp0s25";
|
||||
input = 200000;
|
||||
output = 2000;
|
||||
balance = false;
|
||||
};
|
||||
#configuration.fireqos = {
|
||||
# enable = false;
|
||||
# interface = "enp0s25";
|
||||
# input = 200000;
|
||||
# output = 2000;
|
||||
# balance = false;
|
||||
#};
|
||||
|
||||
services.printing.enable = false;
|
||||
services.smartd.enable = true;
|
||||
|
|
|
@ -1,89 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
# neo4j container managment
|
||||
# -------------------------
|
||||
|
||||
virtualisation.oci-containers.containers =
|
||||
let
|
||||
neo4j_config = {
|
||||
image = "neo4j";
|
||||
environment = {
|
||||
NEO4J_AUTH = "none"; # for development purpose
|
||||
NEO4J_apoc_export_file_enabled = "true";
|
||||
NEO4J_apoc_import_file_enabled = "true";
|
||||
NEO4J_apoc_import_file_use__neo4j__config = "true";
|
||||
NEO4JLABS_PLUGINS = ''["apoc","n10s"]'';
|
||||
};
|
||||
ports = [
|
||||
"127.0.0.1:7474:7474" # http port
|
||||
"127.0.0.1:17687:7687" # bolt port
|
||||
];
|
||||
volumes = [
|
||||
"/var/lib/neo4j/data:/data"
|
||||
"/var/lib/neo4j/logs:/logs"
|
||||
"/var/lib/neo4j/conf:/conf"
|
||||
"/var/lib/neo4j/import:/import" # for database imports
|
||||
"/var/lib/neo4j/plugins:/plugins"
|
||||
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
neo4j = neo4j_config;
|
||||
#neo4jbackup = neo4j_config // {
|
||||
# autoStart = false;
|
||||
# volumes = [
|
||||
# "/var/lib/neo4j/data:/data"
|
||||
# "/var/lib/neo4j/backups:/backups"
|
||||
# ];
|
||||
# cmd = ["neo4j-admin" "dump" "--verbose" "--to=/backups/neo4j.dump"];
|
||||
#};
|
||||
};
|
||||
|
||||
#systemd.services."docker-neo4jbackup" = {
|
||||
# preStart = "systemctrl stop docker-neo4j";
|
||||
# postStop = "systemctrl start docker-neo4j";
|
||||
#};
|
||||
|
||||
|
||||
# backups
|
||||
# -------
|
||||
backup.dirs = [ "/var/lib/neo4j/backups" ];
|
||||
|
||||
# todo run frequently :
|
||||
# docker exec --interactive --tty neo4j neo4j-admin dump --verbose --to /dump/neo4j.dump
|
||||
# https://neo4j.com/docs/operations-manual/current/docker/maintenance/
|
||||
|
||||
|
||||
# nginx publishing
|
||||
# ----------------
|
||||
services.nginx.streamConfig = ''
|
||||
# configure neo4j bolt port
|
||||
server {
|
||||
allow 192.168.0.0/16; # allow private ip range class c
|
||||
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
deny all;
|
||||
listen 7687;
|
||||
proxy_pass localhost:17687;
|
||||
}
|
||||
'';
|
||||
|
||||
services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
|
||||
serverAliases = [ config.networking.hostName ];
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
allow 192.168.0.0/16; # allow private ip range class c
|
||||
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
|
||||
deny all;
|
||||
'';
|
||||
proxyPass = "http://localhost:7474";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 7687 ];
|
||||
#networking.firewall.allowedUDPPorts = [ 80 ];
|
||||
|
||||
|
||||
}
|
|
@ -1,23 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
module.cluster.services.tinc = {
|
||||
"private" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
connectTo = [ "robi" ];
|
||||
};
|
||||
"retiolum" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.26";
|
||||
|
||||
users.users."tinc.retiolum".group = "tinc.retiolum";
|
||||
users.groups."tinc.retiolum" = { };
|
||||
}
|
||||
|
|
|
@ -35,7 +35,6 @@
|
|||
|
||||
#./hardware-configuration.nix
|
||||
#./finance.nix
|
||||
#./grafana.nix
|
||||
#./graylog.nix
|
||||
#./kibana.nix
|
||||
#./mysql.nix
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
{ config, ... }: {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
statusPage = true;
|
||||
virtualHosts = {
|
||||
"grafana.${config.networking.hostName}.private" = {
|
||||
serverAliases = [ ];
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.networking.hostName}.private:${
|
||||
toString config.services.grafana.port
|
||||
}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
port = 5656;
|
||||
addr =
|
||||
config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
|
||||
auth.anonymous = {
|
||||
enable = true;
|
||||
org_role = "Editor";
|
||||
org_name = "AWESOME";
|
||||
};
|
||||
provision = {
|
||||
enable = true;
|
||||
datasources = [{
|
||||
type = "prometheus";
|
||||
isDefault = true;
|
||||
name = "Prometheus Workhorse";
|
||||
url = "http://workhorse.private:9090";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -296,7 +296,7 @@ in
|
|||
virtualHosts = {
|
||||
"transmission.${config.networking.hostName}.private" = {
|
||||
extraConfig = ''
|
||||
allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
allow ${config.tinc.private.subnet};
|
||||
deny all;
|
||||
'';
|
||||
locations."/" = {
|
||||
|
|
|
@ -174,7 +174,7 @@ in
|
|||
virtualHosts = {
|
||||
"transmission2.${config.networking.hostName}.private" = {
|
||||
extraConfig = ''
|
||||
allow ${config.module.cluster.services.tinc.private.networkSubnet};
|
||||
allow ${config.tinc.private.subnet};
|
||||
deny all;
|
||||
'';
|
||||
locations."/" = {
|
||||
|
|
|
@ -1,33 +1,9 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
|
||||
module.cluster.services.tinc = {
|
||||
"private" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
connectTo = [ "robi" ];
|
||||
};
|
||||
"retiolum" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
};
|
||||
"secret" = {
|
||||
enable = true;
|
||||
openPort = true;
|
||||
connectTo = [ "robi" ];
|
||||
};
|
||||
};
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.24";
|
||||
|
||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
|
||||
users.users."tinc.retiolum".group = "tinc.retiolum";
|
||||
users.groups."tinc.retiolum" = { };
|
||||
|
||||
users.users."tinc.secret".group = "tinc.secret";
|
||||
users.groups."tinc.secret" = { };
|
||||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.24";
|
||||
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
#<cleverca22/qemu.nix>
|
||||
|
||||
./grub.nix
|
||||
./networking-qos.nix
|
||||
#./networking-qos.nix
|
||||
./nginx-landingpage.nix
|
||||
./nginx.nix
|
||||
./packages.nix
|
||||
|
|
|
@ -49,12 +49,4 @@
|
|||
# -----------------------------
|
||||
programs.vim.defaultEditor = true;
|
||||
|
||||
# extra hosts
|
||||
# /etc/hosts
|
||||
networking.extraHosts = ''
|
||||
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
|
||||
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
|
||||
'';
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -39,9 +39,9 @@
|
|||
tincOutput = kbits (config.configuration.fireqos.output * 0.7);
|
||||
useBalancedForExperimenting = false;
|
||||
|
||||
tincPorts =
|
||||
lib.mapAttrsToList (name: configuration: toString configuration.port)
|
||||
config.module.cluster.services.tinc;
|
||||
#tincPorts =
|
||||
# lib.mapAttrsToList (name: configuration: toString configuration.port)
|
||||
# config.module.cluster.services.tinc;
|
||||
|
||||
in
|
||||
{
|
||||
|
@ -63,8 +63,8 @@
|
|||
class http commit 80%
|
||||
match tcp port 80,443
|
||||
|
||||
class tinc commit 80%
|
||||
match port ${lib.concatStringsSep "," tincPorts}
|
||||
#class tinc commit 80%
|
||||
# match port ${lib.concatStringsSep "," tincPorts}
|
||||
|
||||
class surfing commit 30%
|
||||
match tcp sports 0:1023 # include TCP traffic from port 0-1023
|
||||
|
|
|
@ -14,8 +14,8 @@
|
|||
href = "http://${host}:8384/";
|
||||
image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
|
||||
})
|
||||
(map (name: { inherit name; }) (lib.attrNames
|
||||
config.module.cluster.services.tinc."private".hosts));
|
||||
(lib.flatten (lib.mapAttrsToList (name: { ... }: { inherit name; })
|
||||
config.services.tinc.networks."private".hostSettings));
|
||||
}
|
||||
{
|
||||
text = "netdata";
|
||||
|
|
|
@ -10,7 +10,6 @@
|
|||
./cachix.nix
|
||||
./direnv.nix
|
||||
./hoard.nix
|
||||
#./dnsmasq.nix
|
||||
./home-manager.nix
|
||||
./mail-stuff.nix
|
||||
#./mc.nix
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
services.dnsmasq = {
|
||||
enable = mkDefault true;
|
||||
extraConfig = ''
|
||||
${concatStringsSep "\n"
|
||||
(flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
|
||||
(name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
|
||||
'';
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue