host: add talos server

This commit is contained in:
Dmitriy Pleshevskiy 2023-07-29 17:21:48 +03:00
parent d794bf88f0
commit 52993be543
Signed by: pleshevskiy
GPG key ID: 79C4487B44403985
17 changed files with 59 additions and 34 deletions

Binary file not shown.

View file

@ -25,7 +25,8 @@ MACHINES := \
VPS := \ VPS := \
magenta \ magenta \
canigou \ canigou \
istal istal \
tatos
.PHONY: help .PHONY: help
help: help:

Binary file not shown.

View file

@ -14,7 +14,6 @@ in
../../shared/garbage-collector.nix ../../shared/garbage-collector.nix
../../shared/docker-swarm.nix ../../shared/docker-swarm.nix
./services/wireguard.nix
./services/miniflux.nix ./services/miniflux.nix
./services/telegram-bot.nix ./services/telegram-bot.nix
]; ];

View file

@ -66,4 +66,10 @@ in
targetHost = (import ./istal/data.secret.nix).addr; targetHost = (import ./istal/data.secret.nix).addr;
}; };
tatos = {
system = "x86_64-linux";
targetHost = (import ./tatos/data.secret.nix).addr;
};
} }

View file

@ -1,7 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
canigouData = import ../../canigou/data.secret.nix; tatosData = import ../../tatos/data.secret.nix;
istalData = import ../data.secret.nix; istalData = import ../data.secret.nix;
inherit (istalData.wireguard) port; inherit (istalData.wireguard) port;
@ -41,12 +41,10 @@ in
privateKeyFile = config.age.secrets.wireguard-istal-private.path; privateKeyFile = config.age.secrets.wireguard-istal-private.path;
peers = [ peers = [
# List of allowed peers.
{ {
publicKey = canigouData.wireguard.publicKey; publicKey = tatosData.wireguard.publicKey;
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.20.30.0/24" ]; allowedIPs = [ "10.20.30.0/24" ];
endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}"; endpoint = "${tatosData.addr}:${toString tatosData.wireguard.port}";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

Binary file not shown.

View file

@ -0,0 +1,27 @@
{ pkgs, ... }:
let
data = import ../../../data.nix;
in
{
imports = [
./hardware-configuration.nix
./networking.secret.nix # generated at runtime by nixos-infect
../../modules/nix.nix
../../shared/common.nix
../../shared/garbage-collector.nix
./services/wireguard.nix
];
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "tatos";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
}

View file

@ -0,0 +1,10 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

Binary file not shown.

View file

@ -5,8 +5,8 @@
let let
istalData = import ../../istal/data.secret.nix; istalData = import ../../istal/data.secret.nix;
canigouData = import ../data.secret.nix; tatosData = import ../data.secret.nix;
port = canigouData.wireguard.port; port = tatosData.wireguard.port;
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { }; update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
in in
@ -42,19 +42,19 @@ in
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main ${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface ${pkgs.iproute}/bin/ip route add 193.0.6.150/32 via $gateway dev $interface
''; '';
preDown = '' preDown = ''
gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'`
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main ${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface ${pkgs.iproute}/bin/ip route del 193.0.6.150/32 via $gateway dev $interface
''; '';
# Path to the private key file. # Path to the private key file.
privateKeyFile = config.age.secrets.wireguard-canigou-private.path; privateKeyFile = config.age.secrets.wireguard-tatos-private.path;
peers = [ peers = [
# Istal # Istal
@ -86,8 +86,8 @@ in
}; };
}; };
age.secrets.wireguard-canigou-private = { age.secrets.wireguard-tatos-private = {
file = ../../../../secrets/wireguard-canigou-private.age; file = ../../../../secrets/wireguard-tatos-private.age;
mode = "0400"; mode = "0400";
}; };
} }

View file

@ -1,17 +1,12 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
cfg = config.local.wireguard; cfg = config.local.wireguard;
# externalServerData = import ../hosts/istal/data.secret.nix; serverData = import ../hosts/tatos/data.secret.nix;
serverData = import ../hosts/canigou/data.secret.nix;
# serverData = import ../hosts/istal/data.secret.nix;
serverAddr = serverData.addr; serverAddr = serverData.addr;
serverPort = serverData.wireguard.port; serverPort = serverData.wireguard.port;
# Run `ip route` to show gateway
defaultGateway = "192.168.0.1";
in in
{ {
options.local.wireguard = with lib; { options.local.wireguard = with lib; {
@ -42,17 +37,6 @@ in
# Path to the private key file. # Path to the private key file.
privateKeyFile = cfg.privateKeyFile; privateKeyFile = cfg.privateKeyFile;
# Add a more specific ip route allowing traffic to the VPN via the default gateway
# Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18
/*
postUp = ''
${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}
'';
preDown = ''
${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}
'';
*/
peers = [ peers = [
# For a client configuration, one peer entry for the server will suffice. # For a client configuration, one peer entry for the server will suffice.

Binary file not shown.

Binary file not shown.