host: add talos server
This commit is contained in:
parent
d794bf88f0
commit
52993be543
17 changed files with 59 additions and 34 deletions
Binary file not shown.
3
Makefile
3
Makefile
|
@ -25,7 +25,8 @@ MACHINES := \
|
||||||
VPS := \
|
VPS := \
|
||||||
magenta \
|
magenta \
|
||||||
canigou \
|
canigou \
|
||||||
istal
|
istal \
|
||||||
|
tatos
|
||||||
|
|
||||||
.PHONY: help
|
.PHONY: help
|
||||||
help:
|
help:
|
||||||
|
|
Binary file not shown.
|
@ -14,7 +14,6 @@ in
|
||||||
../../shared/garbage-collector.nix
|
../../shared/garbage-collector.nix
|
||||||
../../shared/docker-swarm.nix
|
../../shared/docker-swarm.nix
|
||||||
|
|
||||||
./services/wireguard.nix
|
|
||||||
./services/miniflux.nix
|
./services/miniflux.nix
|
||||||
./services/telegram-bot.nix
|
./services/telegram-bot.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -66,4 +66,10 @@ in
|
||||||
|
|
||||||
targetHost = (import ./istal/data.secret.nix).addr;
|
targetHost = (import ./istal/data.secret.nix).addr;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
tatos = {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
|
||||||
|
targetHost = (import ./tatos/data.secret.nix).addr;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
canigouData = import ../../canigou/data.secret.nix;
|
tatosData = import ../../tatos/data.secret.nix;
|
||||||
|
|
||||||
istalData = import ../data.secret.nix;
|
istalData = import ../data.secret.nix;
|
||||||
inherit (istalData.wireguard) port;
|
inherit (istalData.wireguard) port;
|
||||||
|
@ -41,12 +41,10 @@ in
|
||||||
privateKeyFile = config.age.secrets.wireguard-istal-private.path;
|
privateKeyFile = config.age.secrets.wireguard-istal-private.path;
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
# List of allowed peers.
|
|
||||||
{
|
{
|
||||||
publicKey = canigouData.wireguard.publicKey;
|
publicKey = tatosData.wireguard.publicKey;
|
||||||
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
|
||||||
allowedIPs = [ "10.20.30.0/24" ];
|
allowedIPs = [ "10.20.30.0/24" ];
|
||||||
endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}";
|
endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}";
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
BIN
nixos/hosts/tatos/data.secret.nix
Normal file
BIN
nixos/hosts/tatos/data.secret.nix
Normal file
Binary file not shown.
27
nixos/hosts/tatos/default.nix
Normal file
27
nixos/hosts/tatos/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
data = import ../../../data.nix;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./networking.secret.nix # generated at runtime by nixos-infect
|
||||||
|
|
||||||
|
../../modules/nix.nix
|
||||||
|
../../shared/common.nix
|
||||||
|
../../shared/garbage-collector.nix
|
||||||
|
|
||||||
|
./services/wireguard.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||||
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
|
zramSwap.enable = true;
|
||||||
|
|
||||||
|
networking.hostName = "tatos";
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
|
||||||
|
}
|
10
nixos/hosts/tatos/hardware-configuration.nix
Normal file
10
nixos/hosts/tatos/hardware-configuration.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||||
|
boot.initrd.kernelModules = [ "nvme" ];
|
||||||
|
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
||||||
|
|
||||||
|
}
|
BIN
nixos/hosts/tatos/networking.secret.nix
Normal file
BIN
nixos/hosts/tatos/networking.secret.nix
Normal file
Binary file not shown.
|
@ -5,8 +5,8 @@
|
||||||
let
|
let
|
||||||
istalData = import ../../istal/data.secret.nix;
|
istalData = import ../../istal/data.secret.nix;
|
||||||
|
|
||||||
canigouData = import ../data.secret.nix;
|
tatosData = import ../data.secret.nix;
|
||||||
port = canigouData.wireguard.port;
|
port = tatosData.wireguard.port;
|
||||||
|
|
||||||
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
|
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
|
||||||
in
|
in
|
||||||
|
@ -42,19 +42,19 @@ in
|
||||||
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
||||||
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
||||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
|
||||||
${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main
|
${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
|
||||||
${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface
|
${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface
|
||||||
'';
|
'';
|
||||||
preDown = ''
|
preDown = ''
|
||||||
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
|
||||||
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
|
||||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
|
||||||
${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main
|
${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
|
||||||
${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface
|
${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Path to the private key file.
|
# Path to the private key file.
|
||||||
privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
|
privateKeyFile = config.age.secrets.wireguard-tatos-private.path;
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
# Istal
|
# Istal
|
||||||
|
@ -86,8 +86,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.wireguard-canigou-private = {
|
age.secrets.wireguard-tatos-private = {
|
||||||
file = ../../../../secrets/wireguard-canigou-private.age;
|
file = ../../../../secrets/wireguard-tatos-private.age;
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -1,17 +1,12 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.local.wireguard;
|
cfg = config.local.wireguard;
|
||||||
|
|
||||||
# externalServerData = import ../hosts/istal/data.secret.nix;
|
serverData = import ../hosts/tatos/data.secret.nix;
|
||||||
serverData = import ../hosts/canigou/data.secret.nix;
|
|
||||||
# serverData = import ../hosts/istal/data.secret.nix;
|
|
||||||
|
|
||||||
serverAddr = serverData.addr;
|
serverAddr = serverData.addr;
|
||||||
serverPort = serverData.wireguard.port;
|
serverPort = serverData.wireguard.port;
|
||||||
|
|
||||||
# Run `ip route` to show gateway
|
|
||||||
defaultGateway = "192.168.0.1";
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.local.wireguard = with lib; {
|
options.local.wireguard = with lib; {
|
||||||
|
@ -42,17 +37,6 @@ in
|
||||||
# Path to the private key file.
|
# Path to the private key file.
|
||||||
privateKeyFile = cfg.privateKeyFile;
|
privateKeyFile = cfg.privateKeyFile;
|
||||||
|
|
||||||
# Add a more specific ip route allowing traffic to the VPN via the default gateway
|
|
||||||
# Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18
|
|
||||||
/*
|
|
||||||
postUp = ''
|
|
||||||
${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}
|
|
||||||
'';
|
|
||||||
preDown = ''
|
|
||||||
${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}
|
|
||||||
'';
|
|
||||||
*/
|
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
# For a client configuration, one peer entry for the server will suffice.
|
# For a client configuration, one peer entry for the server will suffice.
|
||||||
|
|
||||||
|
|
Binary file not shown.
Binary file not shown.
BIN
secrets/wireguard-tatos-private.age
Normal file
BIN
secrets/wireguard-tatos-private.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue