diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/bifrost/default.nix | 10 | ||||
-rw-r--r-- | hosts/surtr/default.nix | 1 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/vpn/default.nix | 50 | ||||
-rw-r--r-- | hosts/surtr/vpn/sif.priv | 16 |
5 files changed, 41 insertions, 40 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 20cd5892..fbfde757 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix | |||
@@ -18,10 +18,8 @@ in { | |||
18 | ListenPort = 51822; | 18 | ListenPort = 51822; |
19 | }; | 19 | }; |
20 | wireguardPeers = [ | 20 | wireguardPeers = [ |
21 | { wireguardPeerConfig = { | 21 | { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; |
22 | AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; | 22 | PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); |
23 | PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); | ||
24 | }; | ||
25 | } | 23 | } |
26 | ]; | 24 | ]; |
27 | }; | 25 | }; |
@@ -34,9 +32,7 @@ in { | |||
34 | }; | 32 | }; |
35 | address = ["2a03:4000:52:ada:4::/96"]; | 33 | address = ["2a03:4000:52:ada:4::/96"]; |
36 | routes = [ | 34 | routes = [ |
37 | { routeConfig = { | 35 | { Destination = "2a03:4000:52:ada:4::/80"; |
38 | Destination = "2a03:4000:52:ada:4::/80"; | ||
39 | }; | ||
40 | } | 36 | } |
41 | ]; | 37 | ]; |
42 | linkConfig = { | 38 | linkConfig = { |
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index e6ca0c64..ceb035cb 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -165,6 +165,7 @@ with lib; | |||
165 | algorithm = "zstd"; | 165 | algorithm = "zstd"; |
166 | }; | 166 | }; |
167 | 167 | ||
168 | systemd.sysusers.enable = false; | ||
168 | system.stateVersion = "20.09"; | 169 | system.stateVersion = "20.09"; |
169 | }; | 170 | }; |
170 | } | 171 | } |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index bd72b10e..c10f611f 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -492,6 +492,10 @@ in { | |||
492 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; | 492 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; |
493 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; | 493 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; |
494 | protocols = [ "lmtp" "sieve" ]; | 494 | protocols = [ "lmtp" "sieve" ]; |
495 | sieve = { | ||
496 | extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
497 | globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
498 | }; | ||
495 | extraConfig = let | 499 | extraConfig = let |
496 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' | 500 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' |
497 | driver = pgsql | 501 | driver = pgsql |
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 636dab1a..3f7483bd 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -15,18 +15,22 @@ in { | |||
15 | containers."vpn" = { | 15 | containers."vpn" = { |
16 | autoStart = true; | 16 | autoStart = true; |
17 | ephemeral = true; | 17 | ephemeral = true; |
18 | additionalCapabilities = [ | ||
19 | "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" | ||
20 | ]; | ||
18 | extraFlags = [ | 21 | extraFlags = [ |
22 | "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" | ||
19 | "--network-ipvlan=ens3:upstream" | 23 | "--network-ipvlan=ens3:upstream" |
20 | "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" | ||
21 | ]; | 24 | ]; |
22 | |||
23 | config = { | 25 | config = { |
24 | boot.kernel.sysctl = { | 26 | boot.kernel.sysctl = { |
25 | "net.core.rmem_max" = 4194304; | 27 | "net.core.rmem_max" = 4194304; |
26 | "net.core.wmem_max" = 4194304; | 28 | "net.core.wmem_max" = 4194304; |
29 | |||
27 | "net.ipv6.conf.all.forwarding" = 1; | 30 | "net.ipv6.conf.all.forwarding" = 1; |
28 | "net.ipv6.conf.default.forwarding"= 1; | 31 | "net.ipv6.conf.default.forwarding" = 1; |
29 | "net.ipv4.conf.all.forwarding" = 1; | 32 | "net.ipv4.conf.all.forwarding" = 1; |
33 | "net.ipv4.conf.default.forwarding" = 1; | ||
30 | }; | 34 | }; |
31 | 35 | ||
32 | environment = { | 36 | environment = { |
@@ -81,10 +85,8 @@ in { | |||
81 | ListenPort = 51820; | 85 | ListenPort = 51820; |
82 | }; | 86 | }; |
83 | wireguardPeers = imap1 (i: { name, ip ? i }: { | 87 | wireguardPeers = imap1 (i: { name, ip ? i }: { |
84 | wireguardPeerConfig = { | 88 | AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; |
85 | AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; | 89 | PublicKey = trim (readFile (./. + "/${name}.pub")); |
86 | PublicKey = trim (readFile (./. + "/${name}.pub")); | ||
87 | }; | ||
88 | }) [ { name = "geri"; } { name = "sif"; } ]; | 90 | }) [ { name = "geri"; } { name = "sif"; } ]; |
89 | }; | 91 | }; |
90 | }; | 92 | }; |
@@ -104,19 +106,13 @@ in { | |||
104 | MulticastDNS = false; | 106 | MulticastDNS = false; |
105 | }; | 107 | }; |
106 | routes = [ | 108 | routes = [ |
107 | { routeConfig = { | 109 | { Destination = "202.61.240.1"; |
108 | Destination = "202.61.240.1"; | ||
109 | }; | ||
110 | } | 110 | } |
111 | { routeConfig = { | 111 | { Destination = "0.0.0.0/0"; |
112 | Destination = "0.0.0.0/0"; | 112 | Gateway = "202.61.240.1"; |
113 | Gateway = "202.61.240.1"; | ||
114 | }; | ||
115 | } | 113 | } |
116 | { routeConfig = { | 114 | { Destination = "::/0"; |
117 | Destination = "::/0"; | 115 | Gateway = "fe80::1"; |
118 | Gateway = "fe80::1"; | ||
119 | }; | ||
120 | } | 116 | } |
121 | ]; | 117 | ]; |
122 | extraConfig = '' | 118 | extraConfig = '' |
@@ -132,13 +128,9 @@ in { | |||
132 | }; | 128 | }; |
133 | address = ["${prefix6}::/96" "${prefix4}.0/32"]; | 129 | address = ["${prefix6}::/96" "${prefix4}.0/32"]; |
134 | routes = [ | 130 | routes = [ |
135 | { routeConfig = { | 131 | { Destination = "${prefix6}::/80"; |
136 | Destination = "${prefix6}::/80"; | ||
137 | }; | ||
138 | } | 132 | } |
139 | { routeConfig = { | 133 | { Destination = "${prefix4}.0/24"; |
140 | Destination = "${prefix4}.0/24"; | ||
141 | }; | ||
142 | } | 134 | } |
143 | ]; | 135 | ]; |
144 | linkConfig = { | 136 | linkConfig = { |
@@ -154,6 +146,16 @@ in { | |||
154 | }; | 146 | }; |
155 | }; | 147 | }; |
156 | 148 | ||
149 | systemd.services = { | ||
150 | "container@vpn" = { | ||
151 | serviceConfig = { | ||
152 | LoadCredential = [ | ||
153 | "surtr.priv:${config.sops.secrets.vpn.path}" | ||
154 | ]; | ||
155 | }; | ||
156 | }; | ||
157 | }; | ||
158 | |||
157 | sops.secrets.vpn = { | 159 | sops.secrets.vpn = { |
158 | format = "binary"; | 160 | format = "binary"; |
159 | sopsFile = ./surtr.priv; | 161 | sopsFile = ./surtr.priv; |
diff --git a/hosts/surtr/vpn/sif.priv b/hosts/surtr/vpn/sif.priv index a3c13416..25afb9fa 100644 --- a/hosts/surtr/vpn/sif.priv +++ b/hosts/surtr/vpn/sif.priv | |||
@@ -7,19 +7,17 @@ | |||
7 | "hc_vault": null, | 7 | "hc_vault": null, |
8 | "age": [ | 8 | "age": [ |
9 | { | 9 | { |
10 | "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d", | 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", |
11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVzdKYllJMkJ5TE1lY25D\nOTh6WGtYcmRhY244MUdyRnFCa3ZTMGx4ZVFjCllRaElWVlZ1b0dKL09qUWNEYkhS\nNnowRFdjSDVnSzNLQVByQm00Q1NHWFEKLS0tIDhiN2pjeU1nL2tWMFFrZUl1TGto\nY04wY0o3ZEhsR3hrQjh1eHREZHgrUXcKhd3BZiC6NfQ1kDvpN+HG4z6xdLJZaR7B\nvyEQ/p0VpNKXW83BhiM+FFzJ0WLP7nS7gQ89RyjAOQ0/oIb+b29xiw==\n-----END AGE ENCRYPTED FILE-----\n" | 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOEFxOWNVZEVHRUlXTHg0\nTXV1Q2ZuQmtmek5GeHZXbFZwaU5tbDVnY2lrCnBldG9KTXEvM3kyVjFFQmF3OUxW\neE5oODVKSmVaTnZJSnhjVmZlVGpMbzgKLS0tIGptV3VFai90RHlHT2JyN2k4UFBK\nTHVXL3N3MjdOV1lJZ2ZDM3Z4SFlUZnMKGJEoiGIUJYqDKa24LV5Et8g2oTzGZFPW\n7+/sUTwqsbxPNhHscx89G063QoLjoWGCJ5RERUj+6Qcd49ja4jn07Q==\n-----END AGE ENCRYPTED FILE-----\n" |
12 | }, | ||
13 | { | ||
14 | "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne", | ||
15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdmJKR0REWUVZL3Z4ODlT\nS1J6SUsvaTBpRXlHR1hON1RldUZ3TklMUGlBClZVMG4yQ0ppcWRhcTZTNmsvQnl2\nTGJ2VlhVS3U5NU9tTXZ5ZURqbkxBejgKLS0tIDkxOTF3WDk2Slp3K3pTYkNFOEt5\ndDU0bjl4RDRyM25ZUmNMOWNHYVFya0UKn8ptfrHhagqepWz1wKxmiM7U0pSv41xh\n0RHpQwFXCUjIPuntZD2e4fLxfU11gpPvdVB42uILG/IYhJUX9ejf+w==\n-----END AGE ENCRYPTED FILE-----\n" | ||
12 | } | 16 | } |
13 | ], | 17 | ], |
14 | "lastmodified": "2022-07-29T12:15:02Z", | 18 | "lastmodified": "2022-07-29T12:15:02Z", |
15 | "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]", | 19 | "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]", |
16 | "pgp": [ | 20 | "pgp": null, |
17 | { | ||
18 | "created_at": "2023-01-30T10:58:41Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA8xX+2sUmk2pxjs8kIEoCSijlD2Fpc+4iDBfFbT5Apxkw\nTQYHXzajO77NqiRFu/6s/pzZRhzqlWb6+SqZ31BCws/IZjChXQjrV3p1biAQh5Y7\n0lwBVMoawwg2glvW1CanysrUTC4T0r70CViYhoM7RuwRp79FA4r7xKWct+Igsk8V\n6wy13zSRhPqK5yC9Xk5GmMlUiSu1f5SDTQ+dD+QNjHp0JninoNmTxfPrBbLfpg==\n=eeWj\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | 21 | "unencrypted_suffix": "_unencrypted", |
24 | "version": "3.7.3" | 22 | "version": "3.7.3" |
25 | } | 23 | } |