steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: migrate nfmnk to ifog, add hosthatch

Browse source
This commit is contained in:
steveej 2024-06-08 21:04:38 +02:00
parent 4a42e3fe3c
commit 2f60cd571a
16 changed files with 656 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

110
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -208,7 +208,7 @@ in {
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"];
vpn.interfaces = ["wg0" "wg1"];
vpn.interfaces = ["wg0" "wg1" "wg2"];
}
//
# generate a zone for each vlan
@ -367,11 +367,11 @@ in {
systemd.network = {
wait-online.anyInterface = true;
netdevs = let
router0-nmfk_wg0Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-nfmnk
.router0-ifog
.config
.systemd
.network
@ -381,11 +381,11 @@ in {
.ListenPort
}";
router0-nmfk_wg1Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-nfmnk
.router0-ifog
.config
.systemd
.network
@ -394,6 +394,20 @@ in {
.wireguardConfig
.ListenPort
}";
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-hosthatch
.config
.systemd
.network
.netdevs
.wg0
.wireguardConfig
.ListenPort
}";
in
{
# Create the bridge interface
@ -442,7 +456,7 @@ in {
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-nmfk_wg0Endpoint;
Endpoint = router0-ifog_wg0Endpoint;
};
}
];
@ -468,7 +482,43 @@ in {
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-nmfk_wg1Endpoint;
Endpoint = router0-ifog_wg1Endpoint;
};
}
];
};
wg2 = {
enable = true;
netdevConfig = {
Name = "wg2";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
FirewallMark = 102;
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-hosthatch_wg0Endpoint;
};
}
];
@ -513,6 +563,21 @@ in {
# ip rule add fwmark 101 priority 0 table 101
# ip rule add fwmark 101 priority 1 prohibit
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30000;
Table = 100;
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
@ -530,16 +595,16 @@ in {
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
FirewallMark = 102;
Priority = 30000;
Table = 100;
Table = 102;
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
FirewallMark = 102;
Priority = 30001;
Table = 100;
Table = 102;
Type = "prohibit";
};
}
@ -596,6 +661,12 @@ in {
Table = 100;
};
}
{
routeConfig = {
Gateway = "_dhcp4";
Table = 102;
};
}
];
};
@ -696,7 +767,8 @@ in {
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
# test the set uprouting to a specific IP
Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
MultiPathRoute = "10.0.0.0 1";
};
}
@ -711,12 +783,24 @@ in {
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
MultiPathRoute = "10.0.0.2 1";
};
}
];
};
"50-wg2" = {
enable = true;
matchConfig.Name = "wg2";
address = [
"10.0.1.1/31"
];
routes = [
# TODO: add a testing route here
];
};
}
# configuration for the hostapd dynamic interfaces
# * netdev type vlan

340
nix/os/devices/router0-hosthatch/configuration.nix Normal file
View file

@ -0,0 +1,340 @@
{
repoFlake,
pkgs,
lib,
config,
nodeFlake,
nodeName,
localDomainName,
system,
variables,
...
}: {
system.stateVersion = "24.05";
imports = [
nodeFlake.inputs.disko.nixosModules.disko
nodeFlake.inputs.srvos.nixosModules.mixins-terminfo
repoFlake.inputs.sops-nix.nixosModules.sops
../../snippets/nix-settings.nix
../../profiles/common/user.nix
nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
users.commonUsers = {
enable = true;
enableNonRoot = false;
rootPasswordFile = config.sops.secrets.passwords-root.path;
};
# sops.age.keyFile = "/etc/age.key";
# sops.age.sshKeyPaths = [];
sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.secrets.passwords-root.neededForUsers = true;
}
# TODO: extract this into single-disk VM BIOS module
{
boot.loader.systemd-boot.enable = false;
boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/vda"];
disko.devices.disk.vda = {
device = "/dev/vda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"]; # Override existing partition
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
"/nix" = {
mountOptions = ["noatime"];
mountpoint = "/nix";
};
"/boot" = {
mountpoint = "/boot";
};
};
};
};
};
};
};
boot.initrd.kernelModules = [
"virtio_balloon"
"virtio_scsi"
"virtio_net"
"virtio_pci"
"virtio_ring"
"virtio"
"scsi_mod"
"virtio_blk"
"virtio_ring"
"ata_piix"
"pata_acpi"
"ata_generic"
];
}
];
# sops.secrets.ssh_host_ed25519_key = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_ed25519_key";
# mode = "0600";
# };
# sops.secrets.ssh_host_ed25519_key_pub = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_ed25519_key.pub";
# mode = "0600";
# };
# sops.secrets.ssh_host_rsa_key = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_rsa_key";
# mode = "0600";
# };
# sops.secrets.ssh_host_rsa_key_pub = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_rsa_key.pub";
# mode = "0644";
# };
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
usePredictableInterfaceNames = false;
interfaces.eth0.ipv4.addresses = [
{
address = variables.ipv4;
prefixLength = variables.ipv4length;
}
];
defaultGateway = {
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [
variables.ipv4dns
];
# these will be configured via nftables
nat.enable = lib.mkForce false;
firewall.enable = lib.mkForce false;
# Use the nftables firewall instead of the base nixos scripted rules.
# This flake provides a similar utility to the base nixos scripting.
# https://github.com/thelegy/nixos-nftables-firewall/tree/main
nftables = {
enable = true;
firewall = {
enable = true;
snippets.nnf-common.enable = true;
zones.wan = {
interfaces = ["eth0"];
};
zones.vpn = {
interfaces = ["wg0" "wg1"];
};
rules = {
to-fw = {
from = "all";
to = ["fw"];
verdict = "drop";
allowedTCPPorts = [
22
5201
];
allowedUDPPorts = [
22
5201
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
];
};
vpn-to-wan-nat = {
from = ["vpn"];
to = ["wan"];
masquerade = true;
verdict = "accept";
};
};
};
};
};
sops.secrets.wg0-privatekey = {
mode = "440";
group = "systemd-network";
};
sops.secrets.wg0-peer0-psk = {
mode = "440";
group = "systemd-network";
};
sops.secrets.wg1-privatekey = {
mode = "440";
group = "systemd-network";
};
sops.secrets.wg1-peer0-psk = {
mode = "440";
group = "systemd-network";
};
systemd.network.enable = true;
systemd.network.netdevs.wg0 = {
enable = true;
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51820;
# PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
"10.0.1.1/32"
"192.168.0.0/16"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
};
}
];
};
systemd.network.netdevs.wg1 = {
enable = true;
netdevConfig = {
Name = "wg1";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51821;
# PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
"10.0.1.3/31"
"192.168.0.0/16"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
};
}
];
};
systemd.network.networks.wg0 = {
enable = true;
matchConfig.Name = "wg0";
address = [
"10.0.1.0/31"
];
routes = [
{
routeConfig = {
Destination = "192.168.0.0/16";
MultiPathRoute = "10.0.1.1 1";
};
}
];
};
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.1.2/31"
];
routes = [
{
routeConfig = {
Destination = "192.168.0.0/16";
MultiPathRoute = "10.0.1.3 1";
};
}
];
};
environment.systemPackages = [
pkgs.ethtool
pkgs.neovim
pkgs.tmux
pkgs.wireguard-tools
pkgs.tshark
(pkgs.writeShellScriptBin "dbg-ip" ''
echo links:
ip -br -c l
echo
echo addresses:
ip -br -c a
echo
echo vlans:
bridge -c vlan
'')
(pkgs.writeShellScriptBin "dbg-dnsmasq" ''
# get the rendered in-use config
pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat
'')
];
}

2
nix/os/devices/router0-nfmnk/default.nix → nix/os/devices/router0-hosthatch/default.nix
View file

@ -8,7 +8,7 @@
variables = import ./variables.crypt.nix;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
inherit repoFlake nodeName nodeFlake system variables;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};

30
nix/os/devices/router0-nfmnk/flake.lock → nix/os/devices/router0-hosthatch/flake.lock generated
View file

@ -28,11 +28,11 @@
]
},
"locked": {
"lastModified": 1717177033,
"narHash": "sha256-G3CZJafCO8WDy3dyA2EhpUJEmzd5gMJ2IdItAg0Hijw=",
"lastModified": 1717915259,
"narHash": "sha256-VsGPboaleIlPELHY5cNTrXK4jHVmgUra8uC6h7KVC5c=",
"owner": "nix-community",
"repo": "disko",
"rev": "0274af4c92531ebfba4a5bd493251a143bc51f3c",
"rev": "1bbdb06f14e2621290b250e631cf3d8948e4d19b",
"type": "github"
},
"original": {
@ -48,11 +48,11 @@
]
},
"locked": {
"lastModified": 1716736833,
"narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
"lastModified": 1717527182,
"narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
"rev": "845a5c4c073f74105022533907703441e0464bc3",
"type": "github"
},
"original": {
@ -85,11 +85,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"lastModified": 1717696253,
"narHash": "sha256-1+ua0ggXlYYPLTmMl3YeYYsBXDSCqT+Gw3u6l4gvMhA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"rev": "9b5328b7f761a7bbdc0e332ac4cf076a3eedb89b",
"type": "github"
},
"original": {
@ -101,11 +101,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1716948383,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
"lastModified": 1717786204,
"narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
"rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
"type": "github"
},
"original": {
@ -132,11 +132,11 @@
]
},
"locked": {
"lastModified": 1717058062,
"narHash": "sha256-R8Gb2MlJzfBE76DVWFmfZWODMdAanqxFnK+OOmkoQ7E=",
"lastModified": 1717807544,
"narHash": "sha256-djHfn29HdlfWdmyeu3rqlVS8k5q/xRh2P0mX2RAafb0=",
"owner": "numtide",
"repo": "srvos",
"rev": "414d1039a58b667e4512ad9f7068aa935ebf8d59",
"rev": "64ae31cb29923128f27a503a550ee4fb1631c4c6",
"type": "github"
},
"original": {

0
nix/os/devices/router0-nfmnk/flake.nix → nix/os/devices/router0-hosthatch/flake.nix
View file

BIN
nix/os/devices/router0-hosthatch/variables.crypt.nix Normal file
View file

Binary file not shown.

25
nix/os/devices/router0-nfmnk/configuration.nix → nix/os/devices/router0-ifog/configuration.nix
View file

@ -7,6 +7,7 @@
nodeName,
localDomainName,
system,
variables,
...
}: {
system.stateVersion = "23.11";
@ -32,8 +33,8 @@
rootPasswordFile = config.sops.secrets.passwords-root.path;
};
sops.age.keyFile = "/etc/age.key";
sops.age.sshKeyPaths = [];
# sops.age.keyFile = "/etc/age.key";
# sops.age.sshKeyPaths = [];
sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.defaultSopsFormat = "yaml";
@ -47,10 +48,10 @@
boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/sda"];
boot.loader.grub.devices = lib.mkForce ["/dev/vda"];
disko.devices.disk.sda = {
device = "/dev/sda";
disko.devices.disk.vda = {
device = "/dev/vda";
type = "disk";
content = {
type = "gpt";
@ -145,6 +146,20 @@
useDHCP = true;
usePredictableInterfaceNames = false;
interfaces.eth0.ipv4.addresses = [
{
address = variables.ipv4;
prefixLength = variables.ipv4length;
}
];
defaultGateway = {
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [
variables.ipv4dns
];
# these will be configured via nftables
nat.enable = lib.mkForce false;
firewall.enable = lib.mkForce false;

34
nix/os/devices/router0-ifog/default.nix Normal file
View file

@ -0,0 +1,34 @@
{
system ? "x86_64-linux",
nodeName,
repoFlake,
nodeFlake,
...
}: let
variables = import ./variables.crypt.nix;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system variables;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = variables.ipv4;
deployment.replaceUnknownProfiles = true;
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
networking.hostName = nodeName;
};
}

BIN
nix/os/devices/router0-ifog/variables.crypt.nix Normal file
View file

Binary file not shown.

BIN
nix/os/devices/router0-nfmnk/variables.crypt.nix
View file

Binary file not shown.