host: add talos server
This commit is contained in:
parent
d794bf88f0
commit
52993be543
17 changed files with 59 additions and 34 deletions
Binary file not shown.
3
Makefile
3
Makefile
|
@ -25,7 +25,8 @@ MACHINES := \
|
|||
VPS := \
|
||||
magenta \
|
||||
canigou \
|
||||
istal
|
||||
istal \
|
||||
tatos
|
||||
|
||||
.PHONY: help
|
||||
help:
|
||||
|
|
Binary file not shown.
|
@ -14,7 +14,6 @@ in
|
|||
../../shared/garbage-collector.nix
|
||||
../../shared/docker-swarm.nix
|
||||
|
||||
./services/wireguard.nix
|
||||
./services/miniflux.nix
|
||||
./services/telegram-bot.nix
|
||||
];
|
||||
|
|
|
@ -66,4 +66,10 @@ in
|
|||
|
||||
targetHost = (import ./istal/data.secret.nix).addr;
|
||||
};
|
||||
|
||||
tatos = {
|
||||
system = "x86_64-linux";
|
||||
|
||||
targetHost = (import ./tatos/data.secret.nix).addr;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
canigouData = import ../../canigou/data.secret.nix;
|
||||
tatosData = import ../../tatos/data.secret.nix;
|
||||
|
||||
istalData = import ../data.secret.nix;
|
||||
inherit (istalData.wireguard) port;
|
||||
|
@ -41,12 +41,10 @@ in
|
|||
privateKeyFile = config.age.secrets.wireguard-istal-private.path;
|
||||
|
||||
peers = [
|
||||
# List of allowed peers.
|
||||
{
|
||||
publicKey = canigouData.wireguard.publicKey;
|
||||
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
||||
publicKey = tatosData.wireguard.publicKey;
|
||||
allowedIPs = [ "10.20.30.0/24" ];
|
||||
endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}";
|
||||
endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
|
|
BIN
nixos/hosts/tatos/data.secret.nix
Normal file
BIN
nixos/hosts/tatos/data.secret.nix
Normal file
Binary file not shown.
27
nixos/hosts/tatos/default.nix
Normal file
27
nixos/hosts/tatos/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
data = import ../../../data.nix;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./networking.secret.nix # generated at runtime by nixos-infect
|
||||
|
||||
../../modules/nix.nix
|
||||
../../shared/common.nix
|
||||
../../shared/garbage-collector.nix
|
||||
|
||||
./services/wireguard.nix
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
|
||||
zramSwap.enable = true;
|
||||
|
||||
networking.hostName = "tatos";
|
||||
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
|
||||
}
|
10
nixos/hosts/tatos/hardware-configuration.nix
Normal file
10
nixos/hosts/tatos/hardware-configuration.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
||||
|
||||
}
|
BIN
nixos/hosts/tatos/networking.secret.nix
Normal file
BIN
nixos/hosts/tatos/networking.secret.nix
Normal file
Binary file not shown.
|
@ -5,8 +5,8 @@
|
|||
let
|
||||
istalData = import ../../istal/data.secret.nix;
|
||||
|
||||
canigouData = import ../data.secret.nix;
|
||||
port = canigouData.wireguard.port;
|
||||
tatosData = import ../data.secret.nix;
|
||||
port = tatosData.wireguard.port;
|
||||
|
||||
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
|
||||
in
|
||||
|
@ -42,19 +42,19 @@ in
|
|||
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
||||
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
|
||||
${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main
|
||||
${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface
|
||||
${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
|
||||
${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface
|
||||
'';
|
||||
preDown = ''
|
||||
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
||||
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
|
||||
${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main
|
||||
${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface
|
||||
${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
|
||||
${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface
|
||||
'';
|
||||
|
||||
# Path to the private key file.
|
||||
privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
|
||||
privateKeyFile = config.age.secrets.wireguard-tatos-private.path;
|
||||
|
||||
peers = [
|
||||
# Istal
|
||||
|
@ -86,8 +86,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets.wireguard-canigou-private = {
|
||||
file = ../../../../secrets/wireguard-canigou-private.age;
|
||||
age.secrets.wireguard-tatos-private = {
|
||||
file = ../../../../secrets/wireguard-tatos-private.age;
|
||||
mode = "0400";
|
||||
};
|
||||
}
|
|
@ -1,17 +1,12 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.local.wireguard;
|
||||
|
||||
# externalServerData = import ../hosts/istal/data.secret.nix;
|
||||
serverData = import ../hosts/canigou/data.secret.nix;
|
||||
# serverData = import ../hosts/istal/data.secret.nix;
|
||||
serverData = import ../hosts/tatos/data.secret.nix;
|
||||
|
||||
serverAddr = serverData.addr;
|
||||
serverPort = serverData.wireguard.port;
|
||||
|
||||
# Run `ip route` to show gateway
|
||||
defaultGateway = "192.168.0.1";
|
||||
in
|
||||
{
|
||||
options.local.wireguard = with lib; {
|
||||
|
@ -42,17 +37,6 @@ in
|
|||
# Path to the private key file.
|
||||
privateKeyFile = cfg.privateKeyFile;
|
||||
|
||||
# Add a more specific ip route allowing traffic to the VPN via the default gateway
|
||||
# Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18
|
||||
/*
|
||||
postUp = ''
|
||||
${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}
|
||||
'';
|
||||
preDown = ''
|
||||
${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}
|
||||
'';
|
||||
*/
|
||||
|
||||
peers = [
|
||||
# For a client configuration, one peer entry for the server will suffice.
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
BIN
secrets/wireguard-tatos-private.age
Normal file
BIN
secrets/wireguard-tatos-private.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue