feat: migrate nfmnk to ifog, add hosthatch

2024-06-08 21:04:38 +02:00 · 2024-06-08 21:04:38 +02:00 · 2f60cd571a
commit 2f60cd571a
parent 4a42e3fe3c
16 changed files with 656 additions and 119 deletions
--- a/nix/os/devices/router0-ifog/configuration.nix
+++ b/nix/os/devices/router0-ifog/configuration.nix
@ -0,0 +1,340 @@
+{
+  repoFlake,
+  pkgs,
+  lib,
+  config,
+  nodeFlake,
+  nodeName,
+  localDomainName,
+  system,
+  variables,
+  ...
+}: {
+  system.stateVersion = "23.11";
+
+  imports = [
+    nodeFlake.inputs.disko.nixosModules.disko
+    nodeFlake.inputs.srvos.nixosModules.mixins-terminfo
+
+    repoFlake.inputs.sops-nix.nixosModules.sops
+
+    ../../snippets/nix-settings.nix
+    ../../profiles/common/user.nix
+
+    nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default
+
+    {
+      services.openssh.enable = true;
+      services.openssh.settings.PermitRootLogin = "yes";
+
+      users.commonUsers = {
+        enable = true;
+        enableNonRoot = false;
+        rootPasswordFile = config.sops.secrets.passwords-root.path;
+      };
+
+      # sops.age.keyFile = "/etc/age.key";
+      # sops.age.sshKeyPaths = [];
+
+      sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+      sops.defaultSopsFormat = "yaml";
+
+      sops.secrets.passwords-root.neededForUsers = true;
+    }
+
+    # TODO: extract this into single-disk VM BIOS module
+    {
+      boot.loader.systemd-boot.enable = false;
+      boot.loader.grub.efiSupport = false;
+
+      # forcing seems required or else there's an error about duplicated devices
+      boot.loader.grub.devices = lib.mkForce ["/dev/vda"];
+
+      disko.devices.disk.vda = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"]; # Override existing partition
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  "/nix" = {
+                    mountOptions = ["noatime"];
+                    mountpoint = "/nix";
+                  };
+                  "/boot" = {
+                    mountpoint = "/boot";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+
+      boot.initrd.kernelModules = [
+        "virtio_balloon"
+        "virtio_scsi"
+        "virtio_net"
+        "virtio_pci"
+        "virtio_ring"
+        "virtio"
+        "scsi_mod"
+
+        "virtio_blk"
+        "virtio_ring"
+        "ata_piix"
+        "pata_acpi"
+        "ata_generic"
+      ];
+    }
+  ];
+
+  # sops.secrets.ssh_host_ed25519_key = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_ed25519_key";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_ed25519_key_pub = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_ed25519_key.pub";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_rsa_key = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_rsa_key";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_rsa_key_pub = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_rsa_key.pub";
+  #   mode = "0644";
+  # };
+
+  boot = {
+    kernel = {
+      sysctl = {
+        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+      };
+    };
+  };
+
+  networking = {
+    hostName = nodeName;
+    useNetworkd = true;
+    useDHCP = true;
+    usePredictableInterfaceNames = false;
+
+    interfaces.eth0.ipv4.addresses = [
+      {
+        address = variables.ipv4;
+        prefixLength = variables.ipv4length;
+      }
+    ];
+    defaultGateway = {
+      interface = "eth0";
+      address = variables.ipv4gateway;
+    };
+    nameservers = [
+      variables.ipv4dns
+    ];
+
+    # these will be configured via nftables
+    nat.enable = lib.mkForce false;
+    firewall.enable = lib.mkForce false;
+
+    # Use the nftables firewall instead of the base nixos scripted rules.
+    # This flake provides a similar utility to the base nixos scripting.
+    # https://github.com/thelegy/nixos-nftables-firewall/tree/main
+
+    nftables = {
+      enable = true;
+
+      firewall = {
+        enable = true;
+        snippets.nnf-common.enable = true;
+
+        zones.wan = {
+          interfaces = ["eth0"];
+        };
+
+        zones.vpn = {
+          interfaces = ["wg0" "wg1"];
+        };
+
+        rules = {
+          to-fw = {
+            from = "all";
+            to = ["fw"];
+            verdict = "drop";
+
+            allowedTCPPorts = [
+              22
+              5201
+            ];
+            allowedUDPPorts = [
+              22
+              5201
+              config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
+              config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
+            ];
+          };
+
+          vpn-to-wan-nat = {
+            from = ["vpn"];
+            to = ["wan"];
+            masquerade = true;
+            verdict = "accept";
+          };
+        };
+      };
+    };
+  };
+
+  sops.secrets.wg0-privatekey = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg0-peer0-psk = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg1-privatekey = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg1-peer0-psk = {
+    mode = "440";
+    group = "systemd-network";
+  };
+
+  systemd.network.enable = true;
+  systemd.network.netdevs.wg0 = {
+    enable = true;
+    netdevConfig = {
+      Name = "wg0";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      ListenPort = 51820;
+      # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
+      PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
+    };
+    wireguardPeers = [
+      {
+        wireguardPeerConfig = {
+          AllowedIPs = [
+            "10.0.0.1/32"
+            "192.168.0.0/16"
+          ];
+          PersistentKeepalive = 15;
+          PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
+          PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
+        };
+      }
+    ];
+  };
+  systemd.network.netdevs.wg1 = {
+    enable = true;
+    netdevConfig = {
+      Name = "wg1";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      ListenPort = 51821;
+      # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
+      PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
+    };
+    wireguardPeers = [
+      {
+        wireguardPeerConfig = {
+          AllowedIPs = [
+            "10.0.0.3/31"
+            "192.168.0.0/16"
+          ];
+          PersistentKeepalive = 15;
+          PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
+          PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
+        };
+      }
+    ];
+  };
+  systemd.network.networks.wg0 = {
+    enable = true;
+    matchConfig.Name = "wg0";
+    address = [
+      "10.0.0.0/31"
+    ];
+
+    routes = [
+      {
+        routeConfig = {
+          Destination = "192.168.0.0/16";
+          MultiPathRoute = "10.0.0.1 1";
+        };
+      }
+    ];
+  };
+  systemd.network.networks.wg1 = {
+    enable = true;
+    matchConfig.Name = "wg1";
+    address = [
+      "10.0.0.2/31"
+    ];
+
+    routes = [
+      {
+        routeConfig = {
+          Destination = "192.168.0.0/16";
+          MultiPathRoute = "10.0.0.3 1";
+        };
+      }
+    ];
+  };
+
+  environment.systemPackages = [
+    pkgs.ethtool
+    pkgs.neovim
+    pkgs.tmux
+
+    pkgs.wireguard-tools
+    pkgs.tshark
+
+    (pkgs.writeShellScriptBin "dbg-ip" ''
+      echo links:
+      ip -br -c l
+      echo
+      echo addresses:
+      ip -br -c a
+      echo
+      echo vlans:
+      bridge -c vlan
+    '')
+
+    (pkgs.writeShellScriptBin "dbg-dnsmasq" ''
+      # get the rendered in-use config
+      pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat |  grep -Eo '[^=]*conf' | xargs cat
+    '')
+  ];
+}