diff --git a/flake.nix b/flake.nix index cf9c93a..b319ba3 100644 --- a/flake.nix +++ b/flake.nix @@ -267,7 +267,7 @@ }; }; Bifrost = { - hostname = "Biforst"; + hostname = "Bifrost"; sshUser = "adtya"; profiles.system = { user = "root"; diff --git a/hosts/bifrost/default.nix b/hosts/bifrost/default.nix index dcc924d..163c072 100644 --- a/hosts/bifrost/default.nix +++ b/hosts/bifrost/default.nix @@ -1,7 +1,7 @@ { modulesPath, ... }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-config.nix") - ./network.nix + ./network ./programs ./services ./security.nix diff --git a/hosts/bifrost/network/default.nix b/hosts/bifrost/network/default.nix new file mode 100644 index 0000000..a1a1503 --- /dev/null +++ b/hosts/bifrost/network/default.nix @@ -0,0 +1,47 @@ +{ lib, ... }: { + imports = [ ./wireguard.nix ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + nameservers = [ + "1.1.1.1" + "10.10.10.11" + "1.0.0.1" + "10.10.10.12" + ]; + useDHCP = lib.mkDefault false; + useNetworkd = true; + }; + +} diff --git a/hosts/bifrost/network.nix b/hosts/bifrost/network/wireguard.nix similarity index 52% rename from hosts/bifrost/network.nix rename to hosts/bifrost/network/wireguard.nix index 0ac1e66..a47cc6c 100644 --- a/hosts/bifrost/network.nix +++ b/hosts/bifrost/network/wireguard.nix @@ -1,6 +1,6 @@ -{ lib, config, ... }: +{ config, ... }: let - wireguard-peers = import ../shared/wireguard-peers.nix; + wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { @@ -10,45 +10,7 @@ in group = config.users.users.root.group; }; }; - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - networking = { - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useDHCP = lib.mkDefault false; - useNetworkd = true; firewall = { allowedUDPPorts = [ 51821 ]; trustedInterfaces = [ "Homelab" ]; @@ -75,5 +37,4 @@ in }; }; }; - } diff --git a/hosts/layne/default.nix b/hosts/layne/default.nix index 32493a9..b6aaaed 100644 --- a/hosts/layne/default.nix +++ b/hosts/layne/default.nix @@ -3,7 +3,7 @@ _: { ./hardware ./programs ./services - ./network.nix + ./network ./security.nix ./users.nix ]; diff --git a/hosts/layne/network.nix b/hosts/layne/network.nix deleted file mode 100644 index 23da384..0000000 --- a/hosts/layne/network.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, config, ... }: -let - wireguard-peers = import ../shared/wireguard-peers.nix; -in -{ - sops.secrets = { - "wireguard/layne/pk" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - - networking = { - useDHCP = lib.mkDefault false; - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useNetworkd = true; - firewall = { - allowedUDPPorts = [ 51834 ]; - trustedInterfaces = [ "Homelab" ]; - }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51834; - privateKeyFile = config.sops.secrets."wireguard/layne/pk".path; - address = [ - "10.10.10.14/24" - ]; - dns = [ "10.10.10.11" "10.10.10.12" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico1 - rico2 - wynne - ]; - }; - }; - }; - }; -} diff --git a/hosts/layne/network/default.nix b/hosts/layne/network/default.nix new file mode 100644 index 0000000..fb8bae9 --- /dev/null +++ b/hosts/layne/network/default.nix @@ -0,0 +1,44 @@ +{ lib, ... }: +{ + imports = [ ./wireguard.nix ]; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + useDHCP = lib.mkDefault false; + nameservers = [ + "10.10.10.11" + "10.10.10.12" + ]; + useNetworkd = true; + }; +} diff --git a/hosts/layne/network/wireguard.nix b/hosts/layne/network/wireguard.nix new file mode 100644 index 0000000..49cf71b --- /dev/null +++ b/hosts/layne/network/wireguard.nix @@ -0,0 +1,39 @@ +{ config, ...}: +let + wireguard-peers = import ../../shared/wireguard-peers.nix; +in +{ + sops.secrets = { + "wireguard/layne/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + networking = { + firewall = { + allowedUDPPorts = [ 51834 ]; + trustedInterfaces = [ "Homelab" ]; + }; + wg-quick = { + interfaces = { + Homelab = { + listenPort = 51834; + privateKeyFile = config.sops.secrets."wireguard/layne/pk".path; + address = [ + "10.10.10.14/24" + ]; + dns = [ "10.10.10.11" "10.10.10.12" ]; + peers = with wireguard-peers; [ + (bifrost // { persistentKeepalive = 20; }) + rico0 + rico1 + rico2 + wynne + ]; + }; + }; + }; + }; + +} diff --git a/hosts/rico0/default.nix b/hosts/rico0/default.nix index cba8a86..3a02364 100644 --- a/hosts/rico0/default.nix +++ b/hosts/rico0/default.nix @@ -4,7 +4,7 @@ _: { ./programs ./services ./containers - ./network.nix + ./network ./security.nix ]; diff --git a/hosts/rico0/network.nix b/hosts/rico0/network.nix deleted file mode 100644 index 5576664..0000000 --- a/hosts/rico0/network.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, config, ... }: -let - wireguard-peers = import ../shared/wireguard-peers.nix; -in -{ - sops.secrets = { - "wireguard/rico0/pk" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - - networking = { - useDHCP = lib.mkDefault false; - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useNetworkd = true; - firewall = { - allowedUDPPorts = [ 51830 ]; - trustedInterfaces = [ "Homelab" ]; - }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51830; - privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; - address = [ - "10.10.10.10/24" - ]; - dns = [ "10.10.10.11" "10.10.10.12" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico1 - rico2 - wynne - layne - ]; - }; - }; - }; - }; -} diff --git a/hosts/rico0/network/default.nix b/hosts/rico0/network/default.nix new file mode 100644 index 0000000..fb8bae9 --- /dev/null +++ b/hosts/rico0/network/default.nix @@ -0,0 +1,44 @@ +{ lib, ... }: +{ + imports = [ ./wireguard.nix ]; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + useDHCP = lib.mkDefault false; + nameservers = [ + "10.10.10.11" + "10.10.10.12" + ]; + useNetworkd = true; + }; +} diff --git a/hosts/rico0/network/wireguard.nix b/hosts/rico0/network/wireguard.nix new file mode 100644 index 0000000..5f755bf --- /dev/null +++ b/hosts/rico0/network/wireguard.nix @@ -0,0 +1,38 @@ +{config, ...}: +let + wireguard-peers = import ../../shared/wireguard-peers.nix; +in +{ + sops.secrets = { + "wireguard/rico0/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + networking = { + firewall = { + allowedUDPPorts = [ 51830 ]; + trustedInterfaces = [ "Homelab" ]; + }; + wg-quick = { + interfaces = { + Homelab = { + listenPort = 51830; + privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; + address = [ + "10.10.10.10/24" + ]; + dns = [ "10.10.10.11" "10.10.10.12" ]; + peers = with wireguard-peers; [ + (bifrost // { persistentKeepalive = 20; }) + rico1 + rico2 + wynne + layne + ]; + }; + }; + }; + }; +} diff --git a/hosts/rico1/default.nix b/hosts/rico1/default.nix index cba8a86..3a02364 100644 --- a/hosts/rico1/default.nix +++ b/hosts/rico1/default.nix @@ -4,7 +4,7 @@ _: { ./programs ./services ./containers - ./network.nix + ./network ./security.nix ]; diff --git a/hosts/rico1/network.nix b/hosts/rico1/network.nix deleted file mode 100644 index 914a184..0000000 --- a/hosts/rico1/network.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, config, ... }: -let - wireguard-peers = import ../shared/wireguard-peers.nix; -in -{ - sops.secrets = { - "wireguard/rico1/pk" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - - networking = { - useDHCP = lib.mkDefault false; - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useNetworkd = true; - firewall = { - allowedUDPPorts = [ 51831 ]; - trustedInterfaces = [ "Homelab" ]; - }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51831; - privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; - address = [ - "10.10.10.11/24" - ]; - dns = [ "10.10.10.11" "10.10.10.12" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico2 - wynne - layne - ]; - }; - }; - }; - }; -} diff --git a/hosts/rico1/network/default.nix b/hosts/rico1/network/default.nix new file mode 100644 index 0000000..fb8bae9 --- /dev/null +++ b/hosts/rico1/network/default.nix @@ -0,0 +1,44 @@ +{ lib, ... }: +{ + imports = [ ./wireguard.nix ]; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + useDHCP = lib.mkDefault false; + nameservers = [ + "10.10.10.11" + "10.10.10.12" + ]; + useNetworkd = true; + }; +} diff --git a/hosts/rico1/network/wireguard.nix b/hosts/rico1/network/wireguard.nix new file mode 100644 index 0000000..28a41aa --- /dev/null +++ b/hosts/rico1/network/wireguard.nix @@ -0,0 +1,38 @@ +{config, ...}: +let + wireguard-peers = import ../../shared/wireguard-peers.nix; +in +{ + sops.secrets = { + "wireguard/rico1/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + networking = { + firewall = { + allowedUDPPorts = [ 51831 ]; + trustedInterfaces = [ "Homelab" ]; + }; + wg-quick = { + interfaces = { + Homelab = { + listenPort = 51831; + privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; + address = [ + "10.10.10.11/24" + ]; + dns = [ "10.10.10.11" "10.10.10.12" ]; + peers = with wireguard-peers; [ + (bifrost // { persistentKeepalive = 20; }) + rico0 + rico2 + wynne + layne + ]; + }; + }; + }; + }; +} diff --git a/hosts/rico2/default.nix b/hosts/rico2/default.nix index cba8a86..3a02364 100644 --- a/hosts/rico2/default.nix +++ b/hosts/rico2/default.nix @@ -4,7 +4,7 @@ _: { ./programs ./services ./containers - ./network.nix + ./network ./security.nix ]; diff --git a/hosts/rico2/network/default.nix b/hosts/rico2/network/default.nix new file mode 100644 index 0000000..fb8bae9 --- /dev/null +++ b/hosts/rico2/network/default.nix @@ -0,0 +1,44 @@ +{ lib, ... }: +{ + imports = [ ./wireguard.nix ]; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + useDHCP = lib.mkDefault false; + nameservers = [ + "10.10.10.11" + "10.10.10.12" + ]; + useNetworkd = true; + }; +} diff --git a/hosts/rico2/network.nix b/hosts/rico2/network/wireguard.nix similarity index 52% rename from hosts/rico2/network.nix rename to hosts/rico2/network/wireguard.nix index 54a4e69..79d87cd 100644 --- a/hosts/rico2/network.nix +++ b/hosts/rico2/network/wireguard.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ config, ...}: let wireguard-peers = import ../shared/wireguard-peers.nix; in @@ -10,46 +10,7 @@ in group = config.users.users.root.group; }; }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - networking = { - useDHCP = lib.mkDefault false; - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useNetworkd = true; firewall = { allowedUDPPorts = [ 51832 ]; trustedInterfaces = [ "Homelab" ]; diff --git a/hosts/wynne/default.nix b/hosts/wynne/default.nix index 0f8026f..b29dd07 100644 --- a/hosts/wynne/default.nix +++ b/hosts/wynne/default.nix @@ -3,7 +3,7 @@ _: { ./hardware ./programs ./services - ./network.nix + ./network ./security.nix ]; diff --git a/hosts/wynne/network.nix b/hosts/wynne/network.nix deleted file mode 100644 index ac5eb71..0000000 --- a/hosts/wynne/network.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, config, ... }: -let - wireguard-peers = import ../shared/wireguard-peers.nix; -in -{ - sops.secrets = { - "wireguard/wynne/pk" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; - }; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = { - "41-ether" = { - enable = true; - matchConfig = { - Type = "ether"; - Name = "e*"; - }; - networkConfig = { - DHCP = "yes"; - IPv4Forwarding = "yes"; - }; - dhcpV4Config = { - UseDomains = true; - }; - linkConfig = { - RequiredForOnline = "yes"; - }; - }; - }; - }; - }; - - services.resolved = { - enable = true; - domains = [ "~." ]; - fallbackDns = [ ]; - }; - - networking = { - useDHCP = lib.mkDefault false; - nameservers = [ - "10.10.10.11" - "10.10.10.12" - ]; - useNetworkd = true; - firewall = { - allowedUDPPorts = [ 51833 ]; - trustedInterfaces = [ "Homelab" ]; - }; - wg-quick = { - interfaces = { - Homelab = { - listenPort = 51833; - privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; - address = [ - "10.10.10.13/24" - ]; - dns = [ "10.10.10.11" "10.10.10.12" ]; - peers = with wireguard-peers; [ - (bifrost // { persistentKeepalive = 20; }) - rico0 - rico1 - rico2 - layne - ]; - }; - }; - }; - }; -} diff --git a/hosts/wynne/network/default.nix b/hosts/wynne/network/default.nix new file mode 100644 index 0000000..fb8bae9 --- /dev/null +++ b/hosts/wynne/network/default.nix @@ -0,0 +1,44 @@ +{ lib, ... }: +{ + imports = [ ./wireguard.nix ]; + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = { + "41-ether" = { + enable = true; + matchConfig = { + Type = "ether"; + Name = "e*"; + }; + networkConfig = { + DHCP = "yes"; + IPv4Forwarding = "yes"; + }; + dhcpV4Config = { + UseDomains = true; + }; + linkConfig = { + RequiredForOnline = "yes"; + }; + }; + }; + }; + }; + + services.resolved = { + enable = true; + domains = [ "~." ]; + fallbackDns = [ ]; + }; + + networking = { + useDHCP = lib.mkDefault false; + nameservers = [ + "10.10.10.11" + "10.10.10.12" + ]; + useNetworkd = true; + }; +} diff --git a/hosts/wynne/network/wireguard.nix b/hosts/wynne/network/wireguard.nix new file mode 100644 index 0000000..9558cdc --- /dev/null +++ b/hosts/wynne/network/wireguard.nix @@ -0,0 +1,38 @@ +{ config, ... }: +let + wireguard-peers = import ../../shared/wireguard-peers.nix; +in +{ + sops.secrets = { + "wireguard/wynne/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + networking = { + firewall = { + allowedUDPPorts = [ 51833 ]; + trustedInterfaces = [ "Homelab" ]; + }; + wg-quick = { + interfaces = { + Homelab = { + listenPort = 51833; + privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; + address = [ + "10.10.10.13/24" + ]; + dns = [ "10.10.10.11" "10.10.10.12" ]; + peers = with wireguard-peers; [ + (bifrost // { persistentKeepalive = 20; }) + rico0 + rico1 + rico2 + layne + ]; + }; + }; + }; + }; +}