diff --git a/.agenix_config.nix b/.agenix_config.nix index c133e78..c296fdb 100644 Binary files a/.agenix_config.nix and b/.agenix_config.nix differ diff --git a/Makefile b/Makefile index 71629aa..f971045 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,8 @@ MACHINES := \ VPS := \ magenta \ canigou \ - istal + istal \ + tatos .PHONY: help help: diff --git a/nixos/hosts/canigou/data.secret.nix b/nixos/hosts/canigou/data.secret.nix index cb378e6..468c5f4 100644 Binary files a/nixos/hosts/canigou/data.secret.nix and b/nixos/hosts/canigou/data.secret.nix differ diff --git a/nixos/hosts/canigou/default.nix b/nixos/hosts/canigou/default.nix index 621fc3e..69c0c13 100644 --- a/nixos/hosts/canigou/default.nix +++ b/nixos/hosts/canigou/default.nix @@ -14,7 +14,6 @@ in ../../shared/garbage-collector.nix ../../shared/docker-swarm.nix - ./services/wireguard.nix ./services/miniflux.nix ./services/telegram-bot.nix ]; diff --git a/nixos/hosts/default.nix b/nixos/hosts/default.nix index 028490d..235d8cd 100644 --- a/nixos/hosts/default.nix +++ b/nixos/hosts/default.nix @@ -66,4 +66,10 @@ in targetHost = (import ./istal/data.secret.nix).addr; }; + + tatos = { + system = "x86_64-linux"; + + targetHost = (import ./tatos/data.secret.nix).addr; + }; } diff --git a/nixos/hosts/istal/services/wireguard.nix b/nixos/hosts/istal/services/wireguard.nix index f665266..4c69395 100644 --- a/nixos/hosts/istal/services/wireguard.nix +++ b/nixos/hosts/istal/services/wireguard.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - canigouData = import ../../canigou/data.secret.nix; + tatosData = import ../../tatos/data.secret.nix; istalData = import ../data.secret.nix; inherit (istalData.wireguard) port; @@ -41,12 +41,10 @@ in privateKeyFile = config.age.secrets.wireguard-istal-private.path; peers = [ - # List of allowed peers. { - publicKey = canigouData.wireguard.publicKey; - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + publicKey = tatosData.wireguard.publicKey; allowedIPs = [ "10.20.30.0/24" ]; - endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}"; + endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}"; persistentKeepalive = 25; } ]; diff --git a/nixos/hosts/tatos/data.secret.nix b/nixos/hosts/tatos/data.secret.nix new file mode 100644 index 0000000..c25e893 Binary files /dev/null and b/nixos/hosts/tatos/data.secret.nix differ diff --git a/nixos/hosts/tatos/default.nix b/nixos/hosts/tatos/default.nix new file mode 100644 index 0000000..956b037 --- /dev/null +++ b/nixos/hosts/tatos/default.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: + +let + data = import ../../../data.nix; +in +{ + imports = [ + ./hardware-configuration.nix + ./networking.secret.nix # generated at runtime by nixos-infect + + ../../modules/nix.nix + ../../shared/common.nix + ../../shared/garbage-collector.nix + + ./services/wireguard.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages_6_1; + boot.tmp.cleanOnBoot = true; + + zramSwap.enable = true; + + networking.hostName = "tatos"; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan; +} diff --git a/nixos/hosts/tatos/hardware-configuration.nix b/nixos/hosts/tatos/hardware-configuration.nix new file mode 100644 index 0000000..ceb5686 --- /dev/null +++ b/nixos/hosts/tatos/hardware-configuration.nix @@ -0,0 +1,10 @@ +{ modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/nixos/hosts/tatos/networking.secret.nix b/nixos/hosts/tatos/networking.secret.nix new file mode 100644 index 0000000..c59c683 Binary files /dev/null and b/nixos/hosts/tatos/networking.secret.nix differ diff --git a/nixos/hosts/canigou/services/update_ru_routes.nix b/nixos/hosts/tatos/services/update_ru_routes.nix similarity index 100% rename from nixos/hosts/canigou/services/update_ru_routes.nix rename to nixos/hosts/tatos/services/update_ru_routes.nix diff --git a/nixos/hosts/canigou/services/update_ru_routes.sh b/nixos/hosts/tatos/services/update_ru_routes.sh similarity index 100% rename from nixos/hosts/canigou/services/update_ru_routes.sh rename to nixos/hosts/tatos/services/update_ru_routes.sh diff --git a/nixos/hosts/canigou/services/wireguard.nix b/nixos/hosts/tatos/services/wireguard.nix similarity index 82% rename from nixos/hosts/canigou/services/wireguard.nix rename to nixos/hosts/tatos/services/wireguard.nix index 77c5f7b..e355724 100644 --- a/nixos/hosts/canigou/services/wireguard.nix +++ b/nixos/hosts/tatos/services/wireguard.nix @@ -5,8 +5,8 @@ let istalData = import ../../istal/data.secret.nix; - canigouData = import ../data.secret.nix; - port = canigouData.wireguard.port; + tatosData = import ../data.secret.nix; + port = tatosData.wireguard.port; update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { }; in @@ -42,19 +42,19 @@ in gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE - ${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main - ${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface + ${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main + ${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface ''; preDown = '' gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE - ${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main - ${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface + ${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main + ${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface ''; # Path to the private key file. - privateKeyFile = config.age.secrets.wireguard-canigou-private.path; + privateKeyFile = config.age.secrets.wireguard-tatos-private.path; peers = [ # Istal @@ -86,8 +86,8 @@ in }; }; - age.secrets.wireguard-canigou-private = { - file = ../../../../secrets/wireguard-canigou-private.age; + age.secrets.wireguard-tatos-private = { + file = ../../../../secrets/wireguard-tatos-private.age; mode = "0400"; }; } diff --git a/nixos/modules/wireguard-client.nix b/nixos/modules/wireguard-client.nix index 07b5551..fcf2b20 100644 --- a/nixos/modules/wireguard-client.nix +++ b/nixos/modules/wireguard-client.nix @@ -1,17 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: let cfg = config.local.wireguard; - # externalServerData = import ../hosts/istal/data.secret.nix; - serverData = import ../hosts/canigou/data.secret.nix; - # serverData = import ../hosts/istal/data.secret.nix; + serverData = import ../hosts/tatos/data.secret.nix; serverAddr = serverData.addr; serverPort = serverData.wireguard.port; - - # Run `ip route` to show gateway - defaultGateway = "192.168.0.1"; in { options.local.wireguard = with lib; { @@ -42,17 +37,6 @@ in # Path to the private key file. privateKeyFile = cfg.privateKeyFile; - # Add a more specific ip route allowing traffic to the VPN via the default gateway - # Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18 - /* - postUp = '' - ${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway} - ''; - preDown = '' - ${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway} - ''; - */ - peers = [ # For a client configuration, one peer entry for the server will suffice. diff --git a/nixos/shared/networking.secret.nix b/nixos/shared/networking.secret.nix index 3d8a086..5cc35c0 100644 Binary files a/nixos/shared/networking.secret.nix and b/nixos/shared/networking.secret.nix differ diff --git a/secrets/wireguard-canigou-private.age b/secrets/wireguard-canigou-private.age deleted file mode 100644 index 4f4fa7e..0000000 Binary files a/secrets/wireguard-canigou-private.age and /dev/null differ diff --git a/secrets/wireguard-tatos-private.age b/secrets/wireguard-tatos-private.age new file mode 100644 index 0000000..1039776 Binary files /dev/null and b/secrets/wireguard-tatos-private.age differ