host: add talos server

Makefile

@@ -25,7 +25,8 @@ MACHINES := \
 VPS := \
 	magenta \
 	canigou \
-	istal
+	istal \
+	tatos
 
 .PHONY: help
 help:

nixos/hosts/canigou/default.nix

@@ -14,7 +14,6 @@ in
     ../../shared/garbage-collector.nix
     ../../shared/docker-swarm.nix
 
-    ./services/wireguard.nix
     ./services/miniflux.nix
     ./services/telegram-bot.nix
   ];

nixos/hosts/default.nix

@@ -66,4 +66,10 @@ in
 
     targetHost = (import ./istal/data.secret.nix).addr;
   };
+
+  tatos = {
+    system = "x86_64-linux";
+
+    targetHost = (import ./tatos/data.secret.nix).addr;
+  };
 }

nixos/hosts/istal/services/wireguard.nix

@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 
 let
-  canigouData = import ../../canigou/data.secret.nix;
+  tatosData = import ../../tatos/data.secret.nix;
 
   istalData = import ../data.secret.nix;
   inherit (istalData.wireguard) port;
@@ -41,12 +41,10 @@ in
       privateKeyFile = config.age.secrets.wireguard-istal-private.path;
 
       peers = [
-        # List of allowed peers.
         {
-          publicKey = canigouData.wireguard.publicKey;
-          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          publicKey = tatosData.wireguard.publicKey;
           allowedIPs = [ "10.20.30.0/24" ];
-          endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}";
+          endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}";
           persistentKeepalive = 25;
         }
       ];

nixos/hosts/tatos/default.nix

@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+
+let
+  data = import ../../../data.nix;
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.secret.nix # generated at runtime by nixos-infect
+
+    ../../modules/nix.nix
+    ../../shared/common.nix
+    ../../shared/garbage-collector.nix
+
+    ./services/wireguard.nix
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_6_1;
+  boot.tmp.cleanOnBoot = true;
+
+  zramSwap.enable = true;
+
+  networking.hostName = "tatos";
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
+}

nixos/hosts/tatos/hardware-configuration.nix

@@ -0,0 +1,10 @@
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+}

nixos/hosts/tatos/services/wireguard.nix

@@ -5,8 +5,8 @@
 let
   istalData = import ../../istal/data.secret.nix;
 
-  canigouData = import ../data.secret.nix;
-  port = canigouData.wireguard.port;
+  tatosData = import ../data.secret.nix;
+  port = tatosData.wireguard.port;
 
   update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
 in
@@ -42,19 +42,19 @@ in
         gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
         interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
         ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
-        ${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main
-        ${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface
+        ${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
+        ${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface
       '';
       preDown = ''
         gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
         interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
         ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
-        ${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main
-        ${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface
+        ${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
+        ${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface
       '';
 
       # Path to the private key file.
-      privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
+      privateKeyFile = config.age.secrets.wireguard-tatos-private.path;
 
       peers = [
         # Istal
@@ -86,8 +86,8 @@ in
     };
   };
 
-  age.secrets.wireguard-canigou-private = {
-    file = ../../../../secrets/wireguard-canigou-private.age;
+  age.secrets.wireguard-tatos-private = {
+    file = ../../../../secrets/wireguard-tatos-private.age;
     mode = "0400";
   };
 }

nixos/modules/wireguard-client.nix

@@ -1,17 +1,12 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 let
   cfg = config.local.wireguard;
 
-  # externalServerData = import ../hosts/istal/data.secret.nix;
-  serverData = import ../hosts/canigou/data.secret.nix;
-  # serverData = import ../hosts/istal/data.secret.nix;
+  serverData = import ../hosts/tatos/data.secret.nix;
 
   serverAddr = serverData.addr;
   serverPort = serverData.wireguard.port;
-
-  # Run `ip route` to show gateway
-  defaultGateway = "192.168.0.1";
 in
 {
   options.local.wireguard = with lib; {
@@ -42,17 +37,6 @@ in
         # Path to the private key file.
         privateKeyFile = cfg.privateKeyFile;
 
-        # Add a more specific ip route allowing traffic to the VPN via the default gateway
-        # Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18
-        /*
-        postUp = ''
-          ${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}
-        '';
-        preDown = ''
-          ${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}
-        '';
-        */
-
         peers = [
           # For a client configuration, one peer entry for the server will suffice.