diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 17:19:58 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-06 17:19:58 +0100 |
commit | 67657a453e654811ed5adf45a4c7aab32dc30274 (patch) | |
tree | b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/vidhar | |
parent | 93f07176317920ee881773519ee342f9c62ab9c9 (diff) | |
download | nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2 nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip |
bifrost: ...
Diffstat (limited to 'hosts/vidhar')
-rw-r--r-- | hosts/vidhar/borg.nix | 12 | ||||
-rw-r--r-- | hosts/vidhar/default.nix | 2 | ||||
-rw-r--r-- | hosts/vidhar/network/bifrost/default.nix | 82 | ||||
-rw-r--r-- | hosts/vidhar/network/bifrost/vidhar.priv | 26 | ||||
-rw-r--r-- | hosts/vidhar/network/bifrost/vidhar.pub | 1 | ||||
-rw-r--r-- | hosts/vidhar/network/default.nix | 2 | ||||
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 4 |
7 files changed, 125 insertions, 4 deletions
diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix new file mode 100644 index 00000000..0a0b37a5 --- /dev/null +++ b/hosts/vidhar/borg.nix | |||
@@ -0,0 +1,12 @@ | |||
1 | { ... }: | ||
2 | { | ||
3 | config = { | ||
4 | users.users.borg = { | ||
5 | isSystemUser = true; | ||
6 | createHome = false; | ||
7 | group = "borg"; | ||
8 | extraGroups = [ "ssh" ]; | ||
9 | }; | ||
10 | users.groups."borg" = {}; | ||
11 | }; | ||
12 | } | ||
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b647e472..09ae1e1e 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
@@ -1,7 +1,7 @@ | |||
1 | { hostName, flake, config, pkgs, lib, ... }: | 1 | { hostName, flake, config, pkgs, lib, ... }: |
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus | 4 | ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix |
5 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 5 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
6 | build-server | 6 | build-server |
7 | initrd-ssh | 7 | initrd-ssh |
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix | |||
@@ -0,0 +1,82 @@ | |||
1 | { config, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; | ||
7 | in { | ||
8 | config = { | ||
9 | systemd.network = { | ||
10 | netdevs = { | ||
11 | bifrost = { | ||
12 | netdevConfig = { | ||
13 | Name = "bifrost"; | ||
14 | Kind = "wireguard"; | ||
15 | }; | ||
16 | wireguardConfig = { | ||
17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | ||
18 | ListenPort = 51822; | ||
19 | }; | ||
20 | wireguardPeers = [ | ||
21 | { wireguardPeerConfig = { | ||
22 | AllowedIPs = [ "2a03:4000:52:ada:4::/96" ]; | ||
23 | PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); | ||
24 | PersistentKeepalive = 5; | ||
25 | Endpoint = "2a03:4000:52:ada:::51822"; | ||
26 | }; | ||
27 | } | ||
28 | ]; | ||
29 | }; | ||
30 | }; | ||
31 | networks = { | ||
32 | bifrost = { | ||
33 | name = "bifrost"; | ||
34 | matchConfig = { | ||
35 | Name = "bifrost"; | ||
36 | }; | ||
37 | address = ["2a03:4000:52:ada:4:1::/96"]; | ||
38 | routes = [ | ||
39 | { routeConfig = { | ||
40 | Destination = "2a03:4000:52:ada:4::/80"; | ||
41 | }; | ||
42 | } | ||
43 | { routeConfig ={ | ||
44 | Gateway = "2a03:4000:52:ada:4::"; | ||
45 | GatewayOnLink = true; | ||
46 | Table = "bifrost"; | ||
47 | }; | ||
48 | } | ||
49 | ]; | ||
50 | routingPolicyRules = [ | ||
51 | { routingPolicyRuleConfig = { | ||
52 | Table = "bifrost"; | ||
53 | From = "2a03:4000:52:ada:4:1::/96"; | ||
54 | Priority = 200; | ||
55 | }; | ||
56 | } | ||
57 | ]; | ||
58 | linkConfig = { | ||
59 | RequiredForOnline = false; | ||
60 | }; | ||
61 | networkConfig = { | ||
62 | LLMNR = false; | ||
63 | MulticastDNS = false; | ||
64 | }; | ||
65 | }; | ||
66 | }; | ||
67 | }; | ||
68 | sops.secrets.bifrost = { | ||
69 | format = "binary"; | ||
70 | sopsFile = ./vidhar.priv; | ||
71 | mode = "0640"; | ||
72 | owner = "root"; | ||
73 | group = "systemd-network"; | ||
74 | }; | ||
75 | environment.etc."systemd/networkd.conf" = { | ||
76 | text = '' | ||
77 | [Network] | ||
78 | RouteTable=bifrost:1026 | ||
79 | ''; | ||
80 | }; | ||
81 | }; | ||
82 | } | ||
diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv new file mode 100644 index 00000000..273e9ba7 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.priv | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-02-06T16:09:08Z", | ||
10 | "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-02-06T16:09:08Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-02-06T16:09:08Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub new file mode 100644 index 00000000..ef05f832 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.pub | |||
@@ -0,0 +1 @@ | |||
moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA= | |||
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index a1d1b172..e8c5ba9c 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { config, lib, pkgs, ... }: | 1 | { config, lib, pkgs, ... }: |
2 | { | 2 | { |
3 | imports = [ ./dsl.nix ]; | 3 | imports = [ ./dsl.nix ./bifrost ]; |
4 | 4 | ||
5 | config = { | 5 | config = { |
6 | networking = { | 6 | networking = { |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4914777d..caa4863b 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -162,8 +162,8 @@ table inet filter { | |||
162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop |
163 | meta l4proto $icmp_protos counter name icmp-rx accept | 163 | meta l4proto $icmp_protos counter name icmp-rx accept |
164 | 164 | ||
165 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
166 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept |
167 | 167 | ||
168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |