palo
/
nixos-config
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

migrate to upstream tinc

Ingolf Wagner 2023-01-26 21:29:47 +01:00
parent 987f7704a5
commit aa98cc770d
Signed by: palo
GPG Key ID: 76BF5F1928B9618B
20 changed files with 218 additions and 350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
flake.lock
View File

@ -19,21 +19,6 @@
"type": "github"
}
},
"cluster-module": {
"locked": {
"lastModified": 1635790675,
"narHash": "sha256-hWwS/sX46dEIw+swRfB8KZq0T/gDpryswTkZy5n0BAc=",
"owner": "mrvandalo",
"repo": "module.cluster",
"rev": "299f5e9f4d9faa2abce40ae853601e11eecd7383",
"type": "github"
},
"original": {
"owner": "mrvandalo",
"repo": "module.cluster",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
@ -895,7 +880,6 @@
},
"root": {
"inputs": {
"cluster-module": "cluster-module",
"colmena": "colmena",
"doom-emacs-nix": "doom-emacs-nix",
"emacs-overlay": "emacs-overlay_2",

6
flake.nix
View File

@ -42,10 +42,6 @@
url = "github:mrvandalo/home-manager-utils";
inputs.home-manager.follows = "home-manager";
};
cluster-module = {
url = "github:mrvandalo/module.cluster";
#url = "git+file:///home/palo/dev/nixos/module.cluster";
};
nixpkgs-fmt = {
url = "github:nix-community/nixpkgs-fmt";
inputs.nixpkgs.follows = "nixpkgs";
@ -75,7 +71,6 @@
outputs =
{ self
, cluster-module
, colmena
, doom-emacs-nix
, emacs-overlay
@ -170,7 +165,6 @@
];
imports = [
./nixos/machines/${name}/configuration.nix
cluster-module.nixosModules.tinc
(sopsModule name)
home-manager.nixosModules.home-manager
permown.nixosModules.permown

39
nixos/components/network/sshd/known-hosts-private.nix
View File

@ -1,4 +1,3 @@
# generated by updateSshKeys.sh
{ config, lib, ... }: {
services.openssh.knownHosts = {
@ -22,43 +21,5 @@
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
};
"sternchen.secret" = {
hostNames = [
"sternchen.secret"
config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
};
"sterni.private" = {
hostNames = [
"sterni.private"
"sterni.secret"
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
};
"pepe.private" = {
hostNames = [
"pepe.private"
"pepe.lan"
config.module.cluster.services.tinc.private.hosts.pepe.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
};
"bobi.private" = {
hostNames = [
"bobi.private"
config.module.cluster.services.tinc.private.hosts.bobi.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
};
"mobi.private" = {
hostNames = [
"mobi.private"
config.module.cluster.services.tinc.private.hosts.mobi.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
};
};
}

41
nixos/components/network/tinc/default.nix
View File

@ -1,14 +1,37 @@
{ lib, config, ... }:
with lib;
{
imports = [
./private.nix
./retiolum.nix
./secret.nix
options.tinc = {
private = {
enable = mkEnableOption "private tinc setup";
ipv4 = mkOption { type = types.str; };
subnet = mkOption {
type = types.str;
default = "10.23.42.0/24";
};
};
secret = {
enable = mkEnableOption "secret tinc setup";
ipv4 = mkOption {
type = types.str;
};
};
};
config = mkMerge [
(mkIf config.tinc.private.enable (import ./private.nix {
ipv4 = config.tinc.private.ipv4;
ipv6 = null;
inherit (lib) optionalString concatStringsSep mapAttrsToList;
inherit config;
}))
(mkIf config.tinc.secret.enable (import ./secret.nix {
ipv4 = config.tinc.secret.ipv4;
ipv6 = null;
inherit (lib) optionalString concatStringsSep mapAttrsToList;
inherit config;
}))
];
# keys for secret and private tinc network
sops.secrets.tinc_ed25519_key = { };
sops.secrets.tinc_rsa_key = { };
}

132
nixos/components/network/tinc/private.nix
View File

@ -1,46 +1,100 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.trustedInterfaces = [ "tinc.private" ];
users.groups."tinc.private" = { };
users.users."tinc.private" = {
group = "tinc.private";
isSystemUser = lib.mkDefault true;
{ ipv4
, ipv6
, config
, optionalString
, concatStringsSep
, mapAttrsToList
, ...
}:
let
hosts = {
mobi = "10.23.42.23";
sterni = "10.23.42.24";
bobi = "10.23.42.25";
pepe = "10.23.42.26";
robi = "10.23.42.111";
};
subDomains = {
"transmission.robi" = hosts.robi;
"transmission2.robi" = hosts.robi;
};
network = "private";
in
{
networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
module.cluster.services.tinc."private" = {
networkSubnet = "10.23.42.0/24";
extraConfig = ''
LocalDiscovery = yes
'';
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
hosts = {
pepe = {
tincIp = "10.23.42.26";
publicKey = lib.fileContents ../../../assets/tinc/pepe_host_file;
};
sterni = {
tincIp = "10.23.42.24";
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
};
mobi = {
tincIp = "10.23.42.23";
publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
};
bobi = {
tincIp = "10.23.42.25";
publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
};
robi = {
realAddress = [ "144.76.13.147" ];
tincIp = "10.23.42.111";
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
sops.secrets.tinc_ed25519_key = { };
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
interfaceType = "tap";
extraConfig = ''
LocalDiscovery = yes
'';
hostSettings = {
mobi = {
subnets = [{ address = hosts.mobi; }];
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
};
sterni = {
subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
};
bobi = {
subnets = [{ address = hosts.bobi; }];
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
};
pepe = {
subnets = [{ address = hosts.pepe; }];
settings.Ed25519PublicKey = "LnE+w6ZfNCky4Kad3TBxpFKRJ2PJshkSpW6mC3pcsPI";
};
robi = {
addresses = [{ address = "144.76.13.147"; }];
subnets = [{ address = hosts.robi; }];
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
};
};
};
};
systemd.network.enable = true;
systemd.network.networks.${network}.extraConfig = ''
[Match]
Name = tinc.${network}
[Link]
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
MTUBytes=1377
[Network]
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
RequiredForOnline = no
LinkLocalAddressing = no
'';
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));
services.openssh.knownHosts = {
"robi" = {
hostNames = [ "robi.${network}" hosts.robi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
};
"sterni.${network}" = {
hostNames = [ "sterni.${network}" hosts.sterni ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
};
"pepe.${network}" = {
hostNames = [ "pepe.${network}" hosts.pepe ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
};
"bobi.${network}" = {
hostNames = [ "bobi.${network}" hosts.bobi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
};
"mobi.${network}" = {
hostNames = [ "mobi.${network}" hosts.mobi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
};
};
}

96
nixos/components/network/tinc/secret.nix
View File

@ -1,33 +1,77 @@
{ config, pkgs, lib, ... }:
{ ipv4
, ipv6
, config
, optionalString
, concatStringsSep
, mapAttrsToList
, ...
}:
let
port = 721;
hosts = {
sternchen = "10.123.42.25";
sterni = "10.123.42.24";
robi = "10.123.42.123";
};
network = "secret";
in
{
sops.secrets.tinc_ed25519_key = { };
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
module.cluster.services.tinc."secret" = {
networkSubnet = "10.123.42.0/24";
port = 721;
extraConfig = ''
LocalDiscovery = yes
AutoConnect = yes
'';
privateEd25519KeyFile = toString config.sops.secrets.tinc_ed25519_key.path;
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
hosts = {
sternchen = {
tincIp = "10.123.42.25";
publicKey = lib.fileContents ../../../assets/tinc/sternchen_host_file;
};
sterni = {
tincIp = "10.123.42.24";
publicKey = lib.fileContents ../../../assets/tinc/workout_host_file;
};
robi = {
realAddress = [ "144.76.13.147" ];
tincIp = "10.123.42.123";
publicKey = lib.fileContents ../../../assets/tinc/robi_host_file;
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
extraConfig = ''
LocalDiscovery = yes
Port = ${toString port}
'';
hostSettings = {
sternchen = {
subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
};
sterni = {
subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
};
robi = {
addresses = [{ address = "144.76.13.147"; port = port; }];
subnets = [{ address = hosts.robi; }];
settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
};
};
};
};
}
systemd.network.enable = true;
systemd.network.networks.${network}.extraConfig = ''
[Match]
Name = tinc.${network}
[Link]
# tested with `ping -6 turingmachine.r -s 1378`, not sure how low it must be
MTUBytes=1377
[Network]
${optionalString (ipv4 != null) "Address=${ipv4}/24"}
${optionalString (ipv6 != null) "Address=${ipv6}/28"}
RequiredForOnline = no
LinkLocalAddressing = no
'';
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") hosts);
services.openssh.knownHosts = {
"sternchen.${network}" = {
hostNames = [ "sterni.${network}" hosts.sterni ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
};
"sterni.${network}" = {
hostNames = [ "sterni.${network}" hosts.sterni ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
};
"robi" = {
hostNames = [ "robi.${network}" hosts.robi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
};
};
}

14
nixos/machines/pepe/configuration.nix
View File

@ -53,13 +53,13 @@
networking.dhcpcd.allowInterfaces = [ "enp0s25" ];
# nix-shell -p speedtest_cli --run speedtest
configuration.fireqos = {
enable = false;
interface = "enp0s25";
input = 200000;
output = 2000;
balance = false;
};
#configuration.fireqos = {
# enable = false;
# interface = "enp0s25";
# input = 200000;
# output = 2000;
# balance = false;
#};
services.printing.enable = false;
services.smartd.enable = true;

89
nixos/machines/pepe/neo4j.nix
View File

@ -1,89 +0,0 @@
{ config, lib, pkgs, ... }:
{
# neo4j container managment
# -------------------------
virtualisation.oci-containers.containers =
let
neo4j_config = {
image = "neo4j";
environment = {
NEO4J_AUTH = "none"; # for development purpose
NEO4J_apoc_export_file_enabled = "true";
NEO4J_apoc_import_file_enabled = "true";
NEO4J_apoc_import_file_use__neo4j__config = "true";
NEO4JLABS_PLUGINS = ''["apoc","n10s"]'';
};
ports = [
"127.0.0.1:7474:7474" # http port
"127.0.0.1:17687:7687" # bolt port
];
volumes = [
"/var/lib/neo4j/data:/data"
"/var/lib/neo4j/logs:/logs"
"/var/lib/neo4j/conf:/conf"
"/var/lib/neo4j/import:/import" # for database imports
"/var/lib/neo4j/plugins:/plugins"
];
};
in
{
neo4j = neo4j_config;
#neo4jbackup = neo4j_config // {
# autoStart = false;
# volumes = [
# "/var/lib/neo4j/data:/data"
# "/var/lib/neo4j/backups:/backups"
# ];
# cmd = ["neo4j-admin" "dump" "--verbose" "--to=/backups/neo4j.dump"];
#};
};
#systemd.services."docker-neo4jbackup" = {
# preStart = "systemctrl stop docker-neo4j";
# postStop = "systemctrl start docker-neo4j";
#};
# backups
# -------
backup.dirs = [ "/var/lib/neo4j/backups" ];
# todo run frequently :
# docker exec --interactive --tty neo4j neo4j-admin dump --verbose --to /dump/neo4j.dump
# https://neo4j.com/docs/operations-manual/current/docker/maintenance/
# nginx publishing
# ----------------
services.nginx.streamConfig = ''
# configure neo4j bolt port
server {
allow 192.168.0.0/16; # allow private ip range class c
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
deny all;
listen 7687;
proxy_pass localhost:17687;
}
'';
services.nginx.virtualHosts."neo4j.${config.networking.hostName}.private" = {
serverAliases = [ config.networking.hostName ];
locations."/" = {
extraConfig = ''
allow 192.168.0.0/16; # allow private ip range class c
allow ${config.module.cluster.services.tinc."private".networkSubnet}; # allow private tinc network
deny all;
'';
proxyPass = "http://localhost:7474";
};
};
networking.firewall.allowedTCPPorts = [ 80 7687 ];
#networking.firewall.allowedUDPPorts = [ 80 ];
}

21
nixos/machines/pepe/tinc.nix
View File

@ -1,23 +1,6 @@
{ config, lib, pkgs, ... }:
with lib;
{
module.cluster.services.tinc = {
"private" = {
enable = true;
openPort = true;
connectTo = [ "robi" ];
};
"retiolum" = {
enable = true;
openPort = true;
};
};
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { };
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.26";
users.users."tinc.retiolum".group = "tinc.retiolum";
users.groups."tinc.retiolum" = { };
}

1
nixos/machines/robi/configuration.nix
View File

@ -35,7 +35,6 @@
#./hardware-configuration.nix
#./finance.nix
#./grafana.nix
#./graylog.nix
#./kibana.nix
#./mysql.nix

38
nixos/machines/robi/grafana.nix
View File

@ -1,38 +0,0 @@
{ config, ... }: {
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"grafana.${config.networking.hostName}.private" = {
serverAliases = [ ];
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.grafana.port
}";
};
};
};
};
services.grafana = {
enable = true;
port = 5656;
addr =
config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
auth.anonymous = {
enable = true;
org_role = "Editor";
org_name = "AWESOME";
};
provision = {
enable = true;
datasources = [{
type = "prometheus";
isDefault = true;
name = "Prometheus Workhorse";
url = "http://workhorse.private:9090";
}];
};
};
}

2
nixos/machines/robi/transmission.nix
View File

@ -296,7 +296,7 @@ in
virtualHosts = {
"transmission.${config.networking.hostName}.private" = {
extraConfig = ''
allow ${config.module.cluster.services.tinc.private.networkSubnet};
allow ${config.tinc.private.subnet};
deny all;
'';
locations."/" = {

2
nixos/machines/robi/transmission2.nix
View File

@ -174,7 +174,7 @@ in
virtualHosts = {
"transmission2.${config.networking.hostName}.private" = {
extraConfig = ''
allow ${config.module.cluster.services.tinc.private.networkSubnet};
allow ${config.tinc.private.subnet};
deny all;
'';
locations."/" = {

32
nixos/machines/sterni/tinc.nix
View File

@ -1,33 +1,9 @@
{ config, lib, pkgs, ... }:
with lib;
{
module.cluster.services.tinc = {
"private" = {
enable = true;
openPort = true;
connectTo = [ "robi" ];
};
"retiolum" = {
enable = true;
openPort = true;
};
"secret" = {
enable = true;
openPort = true;
connectTo = [ "robi" ];
};
};
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.24";
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { };
users.users."tinc.retiolum".group = "tinc.retiolum";
users.groups."tinc.retiolum" = { };
users.users."tinc.secret".group = "tinc.secret";
users.groups."tinc.secret" = { };
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.24";
}

2
nixos/system/all/default.nix
View File

@ -14,7 +14,7 @@
#<cleverca22/qemu.nix>
./grub.nix
./networking-qos.nix
#./networking-qos.nix
./nginx-landingpage.nix
./nginx.nix
./packages.nix

8
nixos/system/all/defaults.nix
View File

@ -49,12 +49,4 @@
# -----------------------------
programs.vim.defaultEditor = true;
# extra hosts
# /etc/hosts
networking.extraHosts = ''
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission.robi.private
${config.module.cluster.services.tinc.private.hosts.robi.tincIp} transmission2.robi.private
'';
}

10
nixos/system/all/networking-qos.nix
View File

@ -39,9 +39,9 @@
tincOutput = kbits (config.configuration.fireqos.output * 0.7);
useBalancedForExperimenting = false;
tincPorts =
lib.mapAttrsToList (name: configuration: toString configuration.port)
config.module.cluster.services.tinc;
#tincPorts =
# lib.mapAttrsToList (name: configuration: toString configuration.port)
# config.module.cluster.services.tinc;
in
{
@ -63,8 +63,8 @@
class http commit 80%
match tcp port 80,443
class tinc commit 80%
match port ${lib.concatStringsSep "," tincPorts}
#class tinc commit 80%
# match port ${lib.concatStringsSep "," tincPorts}
class surfing commit 30%
match tcp sports 0:1023 # include TCP traffic from port 0-1023

4
nixos/system/all/nginx-landingpage.nix
View File

@ -14,8 +14,8 @@
href = "http://${host}:8384/";
image = "https://media.giphy.com/media/JoyU4vuzwj6ZA7Ging/giphy.gif";
})
(map (name: { inherit name; }) (lib.attrNames
config.module.cluster.services.tinc."private".hosts));
(lib.flatten (lib.mapAttrsToList (name: { ... }: { inherit name; })
config.services.tinc.networks."private".hostSettings));
}
{
text = "netdata";

1
nixos/system/desktop/default.nix
View File

@ -10,7 +10,6 @@
./cachix.nix
./direnv.nix
./hoard.nix
#./dnsmasq.nix
./home-manager.nix
./mail-stuff.nix
#./mc.nix

14
nixos/system/desktop/dnsmasq.nix
View File

@ -1,14 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
services.dnsmasq = {
enable = mkDefault true;
extraConfig = ''
${concatStringsSep "\n"
(flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
(name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
'';
};
}