7 files changed, 125 insertions, 4 deletions
diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix
new file mode 100644
index 00000000..0a0b37a5
--- /dev/null
+++ b/hosts/vidhar/borg.nix
@@ -0,0 +1,12 @@
+{ ... }:
+{
+  config = {
+    users.users.borg = {
+      isSystemUser = true;
+      createHome = false;
+      group = "borg";
+      extraGroups = [ "ssh" ];
+    };
+    users.groups."borg" = {};
+  };
+}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index b647e472..09ae1e1e 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
 { hostName, flake, config, pkgs, lib, ... }:
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus
+    ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
    initrd-ssh
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix
new file mode 100644
index 00000000..40666f59
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/default.nix
@@ -0,0 +1,82 @@
+{ config, lib, ... }:
+with lib;
+let
+  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
+in {
+  config = {
+    systemd.network = {
+      netdevs = {
+        bifrost = {
+          netdevConfig = {
+            Name = "bifrost";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.bifrost.path;
+            ListenPort = 51822;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "2a03:4000:52:ada:4::/96" ];
+                PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
+                PersistentKeepalive = 5;
+                Endpoint = "2a03:4000:52:ada:::51822";
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        bifrost = {
+          name = "bifrost";
+          matchConfig = {
+            Name = "bifrost";
+          };
+          address = ["2a03:4000:52:ada:4:1::/96"];
+          routes = [
+            { routeConfig = {
+                Destination = "2a03:4000:52:ada:4::/80";
+              };
+            }
+            { routeConfig ={
+                Gateway = "2a03:4000:52:ada:4::";
+                GatewayOnLink = true;
+                Table = "bifrost";
+              };
+            }
+          ];
+          routingPolicyRules = [
+            { routingPolicyRuleConfig = {
+                Table = "bifrost";
+                From = "2a03:4000:52:ada:4:1::/96";
+                Priority = 200;
+              };
+            }
+          ];
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+          };
+        };
+      };
+    };
+    sops.secrets.bifrost = {
+      format = "binary";
+      sopsFile = ./vidhar.priv;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=bifrost:1026
+      '';
+    };
+  };
+}
diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv
new file mode 100644
index 00000000..273e9ba7
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/vidhar.priv
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-06T16:09:08Z",
+                "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-06T16:09:08Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n",
+                                "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+                        },
+                        {
+                                "created_at": "2022-02-06T16:09:08Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub
new file mode 100644
index 00000000..ef05f832
--- /dev/null
+++ b/hosts/vidhar/network/bifrost/vidhar.pub
@@ -0,0 +1 @@
+moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA=
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index a1d1b172..e8c5ba9c 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 {
-  imports = [ ./dsl.nix ];
+  imports = [ ./dsl.nix ./bifrost ];
  config = {
    networking = {
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 4914777d..caa4863b 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -162,8 +162,8 @@ table inet filter {
    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
    meta l4proto $icmp_protos counter name icmp-rx accept
-    iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
+    iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
-    iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
+    iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept
    iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
    iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept

diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix new file mode 100644 index 00000000..0a0b37a5 --- /dev/null +++ b/hosts/vidhar/borg.nix
@@ -0,0 +1,12 @@
		1	{ ... }:
		2	{
		3	config = {
		4	users.users.borg = {
		5	isSystemUser = true;
		6	createHome = false;
		7	group = "borg";
		8	extraGroups = [ "ssh" ];
		9	};
		10	users.groups."borg" = {};
		11	};
		12	}


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b647e472..09ae1e1e 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
1	{ hostName, flake, config, pkgs, lib, ... }:	1	{ hostName, flake, config, pkgs, lib, ... }:
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus	4	./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix
5	initrd-all-crypto-modules default-locale openssh rebuild-machines	5	initrd-all-crypto-modules default-locale openssh rebuild-machines
6	build-server	6	build-server
7	initrd-ssh	7	initrd-ssh


diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix
@@ -0,0 +1,82 @@
		1	{ config, lib, ... }:
		2
		3	with lib;
		4
		5	let
		6	trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
		7	in {
		8	config = {
		9	systemd.network = {
		10	netdevs = {
		11	bifrost = {
		12	netdevConfig = {
		13	Name = "bifrost";
		14	Kind = "wireguard";
		15	};
		16	wireguardConfig = {
		17	PrivateKeyFile = config.sops.secrets.bifrost.path;
		18	ListenPort = 51822;
		19	};
		20	wireguardPeers = [
		21	{ wireguardPeerConfig = {
		22	AllowedIPs = [ "2a03:4000:52:ada:4::/96" ];
		23	PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
		24	PersistentKeepalive = 5;
		25	Endpoint = "2a03:4000:52:ada:::51822";
		26	};
		27	}
		28	];
		29	};
		30	};
		31	networks = {
		32	bifrost = {
		33	name = "bifrost";
		34	matchConfig = {
		35	Name = "bifrost";
		36	};
		37	address = ["2a03:4000:52:ada:4:1::/96"];
		38	routes = [
		39	{ routeConfig = {
		40	Destination = "2a03:4000:52:ada:4::/80";
		41	};
		42	}
		43	{ routeConfig ={
		44	Gateway = "2a03:4000:52:ada:4::";
		45	GatewayOnLink = true;
		46	Table = "bifrost";
		47	};
		48	}
		49	];
		50	routingPolicyRules = [
		51	{ routingPolicyRuleConfig = {
		52	Table = "bifrost";
		53	From = "2a03:4000:52:ada:4:1::/96";
		54	Priority = 200;
		55	};
		56	}
		57	];
		58	linkConfig = {
		59	RequiredForOnline = false;
		60	};
		61	networkConfig = {
		62	LLMNR = false;
		63	MulticastDNS = false;
		64	};
		65	};
		66	};
		67	};
		68	sops.secrets.bifrost = {
		69	format = "binary";
		70	sopsFile = ./vidhar.priv;
		71	mode = "0640";
		72	owner = "root";
		73	group = "systemd-network";
		74	};
		75	environment.etc."systemd/networkd.conf" = {
		76	text = ''
		77	[Network]
		78	RouteTable=bifrost:1026
		79	'';
		80	};
		81	};
		82	}


diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv new file mode 100644 index 00000000..273e9ba7 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.priv
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-06T16:09:08Z",
		10	"mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-06T16:09:08Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n",
		15	"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
		16	},
		17	{
		18	"created_at": "2022-02-06T16:09:08Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub new file mode 100644 index 00000000..ef05f832 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.pub
@@ -0,0 +1 @@
			moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA=


diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index a1d1b172..e8c5ba9c 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -1,6 +1,6 @@
1	{ config, lib, pkgs, ... }:	1	{ config, lib, pkgs, ... }:
2	{	2	{
3	imports = [ ./dsl.nix ];	3	imports = [ ./dsl.nix ./bifrost ];
4		4
5	config = {	5	config = {
6	networking = {	6	networking = {


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4914777d..caa4863b 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -162,8 +162,8 @@ table inet filter {
162	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop	162	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
163	meta l4proto $icmp_protos counter name icmp-rx accept	163	meta l4proto $icmp_protos counter name icmp-rx accept
164		164
165	iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept	165	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
166	iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept	166	iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept
167		167
168	iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept	168	iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
169	iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept	169	iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept