summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/bifrost/default.nix10
-rw-r--r--hosts/surtr/default.nix1
-rw-r--r--hosts/surtr/email/default.nix4
-rw-r--r--hosts/surtr/vpn/default.nix50
-rw-r--r--hosts/surtr/vpn/sif.priv16
5 files changed, 41 insertions, 40 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
index 20cd5892..fbfde757 100644
--- a/hosts/surtr/bifrost/default.nix
+++ b/hosts/surtr/bifrost/default.nix
@@ -18,10 +18,8 @@ in {
18 ListenPort = 51822; 18 ListenPort = 51822;
19 }; 19 };
20 wireguardPeers = [ 20 wireguardPeers = [
21 { wireguardPeerConfig = { 21 { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
22 AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; 22 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
23 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
24 };
25 } 23 }
26 ]; 24 ];
27 }; 25 };
@@ -34,9 +32,7 @@ in {
34 }; 32 };
35 address = ["2a03:4000:52:ada:4::/96"]; 33 address = ["2a03:4000:52:ada:4::/96"];
36 routes = [ 34 routes = [
37 { routeConfig = { 35 { Destination = "2a03:4000:52:ada:4::/80";
38 Destination = "2a03:4000:52:ada:4::/80";
39 };
40 } 36 }
41 ]; 37 ];
42 linkConfig = { 38 linkConfig = {
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index e6ca0c64..ceb035cb 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -165,6 +165,7 @@ with lib;
165 algorithm = "zstd"; 165 algorithm = "zstd";
166 }; 166 };
167 167
168 systemd.sysusers.enable = false;
168 system.stateVersion = "20.09"; 169 system.stateVersion = "20.09";
169 }; 170 };
170} 171}
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index bd72b10e..c10f611f 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -492,6 +492,10 @@ in {
492 modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; 492 modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
493 mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; 493 mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
494 protocols = [ "lmtp" "sieve" ]; 494 protocols = [ "lmtp" "sieve" ];
495 sieve = {
496 extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
497 globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
498 };
495 extraConfig = let 499 extraConfig = let
496 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' 500 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
497 driver = pgsql 501 driver = pgsql
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 636dab1a..3f7483bd 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -15,18 +15,22 @@ in {
15 containers."vpn" = { 15 containers."vpn" = {
16 autoStart = true; 16 autoStart = true;
17 ephemeral = true; 17 ephemeral = true;
18 additionalCapabilities = [
19 "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
20 ];
18 extraFlags = [ 21 extraFlags = [
22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
19 "--network-ipvlan=ens3:upstream" 23 "--network-ipvlan=ens3:upstream"
20 "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}"
21 ]; 24 ];
22
23 config = { 25 config = {
24 boot.kernel.sysctl = { 26 boot.kernel.sysctl = {
25 "net.core.rmem_max" = 4194304; 27 "net.core.rmem_max" = 4194304;
26 "net.core.wmem_max" = 4194304; 28 "net.core.wmem_max" = 4194304;
29
27 "net.ipv6.conf.all.forwarding" = 1; 30 "net.ipv6.conf.all.forwarding" = 1;
28 "net.ipv6.conf.default.forwarding"= 1; 31 "net.ipv6.conf.default.forwarding" = 1;
29 "net.ipv4.conf.all.forwarding" = 1; 32 "net.ipv4.conf.all.forwarding" = 1;
33 "net.ipv4.conf.default.forwarding" = 1;
30 }; 34 };
31 35
32 environment = { 36 environment = {
@@ -81,10 +85,8 @@ in {
81 ListenPort = 51820; 85 ListenPort = 51820;
82 }; 86 };
83 wireguardPeers = imap1 (i: { name, ip ? i }: { 87 wireguardPeers = imap1 (i: { name, ip ? i }: {
84 wireguardPeerConfig = { 88 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"];
85 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; 89 PublicKey = trim (readFile (./. + "/${name}.pub"));
86 PublicKey = trim (readFile (./. + "/${name}.pub"));
87 };
88 }) [ { name = "geri"; } { name = "sif"; } ]; 90 }) [ { name = "geri"; } { name = "sif"; } ];
89 }; 91 };
90 }; 92 };
@@ -104,19 +106,13 @@ in {
104 MulticastDNS = false; 106 MulticastDNS = false;
105 }; 107 };
106 routes = [ 108 routes = [
107 { routeConfig = { 109 { Destination = "202.61.240.1";
108 Destination = "202.61.240.1";
109 };
110 } 110 }
111 { routeConfig = { 111 { Destination = "0.0.0.0/0";
112 Destination = "0.0.0.0/0"; 112 Gateway = "202.61.240.1";
113 Gateway = "202.61.240.1";
114 };
115 } 113 }
116 { routeConfig = { 114 { Destination = "::/0";
117 Destination = "::/0"; 115 Gateway = "fe80::1";
118 Gateway = "fe80::1";
119 };
120 } 116 }
121 ]; 117 ];
122 extraConfig = '' 118 extraConfig = ''
@@ -132,13 +128,9 @@ in {
132 }; 128 };
133 address = ["${prefix6}::/96" "${prefix4}.0/32"]; 129 address = ["${prefix6}::/96" "${prefix4}.0/32"];
134 routes = [ 130 routes = [
135 { routeConfig = { 131 { Destination = "${prefix6}::/80";
136 Destination = "${prefix6}::/80";
137 };
138 } 132 }
139 { routeConfig = { 133 { Destination = "${prefix4}.0/24";
140 Destination = "${prefix4}.0/24";
141 };
142 } 134 }
143 ]; 135 ];
144 linkConfig = { 136 linkConfig = {
@@ -154,6 +146,16 @@ in {
154 }; 146 };
155 }; 147 };
156 148
149 systemd.services = {
150 "container@vpn" = {
151 serviceConfig = {
152 LoadCredential = [
153 "surtr.priv:${config.sops.secrets.vpn.path}"
154 ];
155 };
156 };
157 };
158
157 sops.secrets.vpn = { 159 sops.secrets.vpn = {
158 format = "binary"; 160 format = "binary";
159 sopsFile = ./surtr.priv; 161 sopsFile = ./surtr.priv;
diff --git a/hosts/surtr/vpn/sif.priv b/hosts/surtr/vpn/sif.priv
index a3c13416..25afb9fa 100644
--- a/hosts/surtr/vpn/sif.priv
+++ b/hosts/surtr/vpn/sif.priv
@@ -7,19 +7,17 @@
7 "hc_vault": null, 7 "hc_vault": null,
8 "age": [ 8 "age": [
9 { 9 {
10 "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d", 10 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVzdKYllJMkJ5TE1lY25D\nOTh6WGtYcmRhY244MUdyRnFCa3ZTMGx4ZVFjCllRaElWVlZ1b0dKL09qUWNEYkhS\nNnowRFdjSDVnSzNLQVByQm00Q1NHWFEKLS0tIDhiN2pjeU1nL2tWMFFrZUl1TGto\nY04wY0o3ZEhsR3hrQjh1eHREZHgrUXcKhd3BZiC6NfQ1kDvpN+HG4z6xdLJZaR7B\nvyEQ/p0VpNKXW83BhiM+FFzJ0WLP7nS7gQ89RyjAOQ0/oIb+b29xiw==\n-----END AGE ENCRYPTED FILE-----\n" 11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOEFxOWNVZEVHRUlXTHg0\nTXV1Q2ZuQmtmek5GeHZXbFZwaU5tbDVnY2lrCnBldG9KTXEvM3kyVjFFQmF3OUxW\neE5oODVKSmVaTnZJSnhjVmZlVGpMbzgKLS0tIGptV3VFai90RHlHT2JyN2k4UFBK\nTHVXL3N3MjdOV1lJZ2ZDM3Z4SFlUZnMKGJEoiGIUJYqDKa24LV5Et8g2oTzGZFPW\n7+/sUTwqsbxPNhHscx89G063QoLjoWGCJ5RERUj+6Qcd49ja4jn07Q==\n-----END AGE ENCRYPTED FILE-----\n"
12 },
13 {
14 "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
15 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdmJKR0REWUVZL3Z4ODlT\nS1J6SUsvaTBpRXlHR1hON1RldUZ3TklMUGlBClZVMG4yQ0ppcWRhcTZTNmsvQnl2\nTGJ2VlhVS3U5NU9tTXZ5ZURqbkxBejgKLS0tIDkxOTF3WDk2Slp3K3pTYkNFOEt5\ndDU0bjl4RDRyM25ZUmNMOWNHYVFya0UKn8ptfrHhagqepWz1wKxmiM7U0pSv41xh\n0RHpQwFXCUjIPuntZD2e4fLxfU11gpPvdVB42uILG/IYhJUX9ejf+w==\n-----END AGE ENCRYPTED FILE-----\n"
12 } 16 }
13 ], 17 ],
14 "lastmodified": "2022-07-29T12:15:02Z", 18 "lastmodified": "2022-07-29T12:15:02Z",
15 "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]", 19 "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]",
16 "pgp": [ 20 "pgp": null,
17 {
18 "created_at": "2023-01-30T10:58:41Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA8xX+2sUmk2pxjs8kIEoCSijlD2Fpc+4iDBfFbT5Apxkw\nTQYHXzajO77NqiRFu/6s/pzZRhzqlWb6+SqZ31BCws/IZjChXQjrV3p1biAQh5Y7\n0lwBVMoawwg2glvW1CanysrUTC4T0r70CViYhoM7RuwRp79FA4r7xKWct+Igsk8V\n6wy13zSRhPqK5yC9Xk5GmMlUiSu1f5SDTQ+dD+QNjHp0JninoNmTxfPrBbLfpg==\n=eeWj\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted", 21 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.3" 22 "version": "3.7.3"
25 } 23 }
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-24 17:48:50 +0000