From beb635d6dbf01a83eefb2413faca7a1cb905950b Mon Sep 17 00:00:00 2001 From: Adithya Nair Date: Sun, 17 Nov 2024 10:28:43 +0530 Subject: [PATCH] some cleanups --- hosts/bifrost/default.nix | 5 +++++ hosts/bifrost/network/default.nix | 3 +++ hosts/bifrost/network/wireguard.nix | 8 ++------ hosts/bifrost/services/ssh.nix | 9 ++++++++- hosts/layne/default.nix | 5 +++++ hosts/layne/network/default.nix | 1 + hosts/layne/network/wireguard.nix | 7 ++----- hosts/rico0/default.nix | 5 +++++ hosts/rico0/network/default.nix | 4 ++-- hosts/rico0/network/wireguard.nix | 7 ++----- hosts/rico1/default.nix | 5 +++++ hosts/rico1/network/default.nix | 4 ++-- hosts/rico1/network/wireguard.nix | 7 ++----- hosts/rico2/default.nix | 5 +++++ hosts/rico2/network/default.nix | 4 ++-- hosts/rico2/network/wireguard.nix | 7 ++----- hosts/shared/prometheus-exporters.nix | 8 +------- hosts/wynne/default.nix | 5 +++++ hosts/wynne/network/default.nix | 4 ++-- hosts/wynne/network/wireguard.nix | 7 ++----- modules/facts.nix | 14 +++++++++++++- 21 files changed, 76 insertions(+), 48 deletions(-) diff --git a/hosts/bifrost/default.nix b/hosts/bifrost/default.nix index 163c072..a5e2464 100644 --- a/hosts/bifrost/default.nix +++ b/hosts/bifrost/default.nix @@ -10,6 +10,11 @@ nodeconfig = { minimize = true; nix.auto-gc = true; + facts = { + external-ip = "128.199.30.141"; + local-ip = "10.122.0.3"; + wireguard-ip = "10.10.10.1"; + }; }; i18n = { diff --git a/hosts/bifrost/network/default.nix b/hosts/bifrost/network/default.nix index a1a1503..c192749 100644 --- a/hosts/bifrost/network/default.nix +++ b/hosts/bifrost/network/default.nix @@ -1,6 +1,8 @@ { lib, ... }: { imports = [ ./wireguard.nix ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + systemd = { network = { enable = true; @@ -42,6 +44,7 @@ ]; useDHCP = lib.mkDefault false; useNetworkd = true; + nftables.enable = true; }; } diff --git a/hosts/bifrost/network/wireguard.nix b/hosts/bifrost/network/wireguard.nix index 46348e0..b106502 100644 --- a/hosts/bifrost/network/wireguard.nix +++ b/hosts/bifrost/network/wireguard.nix @@ -1,9 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ - nodeconfig.facts.wireguard-ip = "10.10.10.1"; +let wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/bifrost/pk" = { mode = "400"; @@ -22,7 +18,7 @@ in listenPort = 51821; privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path; address = [ - "10.10.10.1/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/hosts/bifrost/services/ssh.nix b/hosts/bifrost/services/ssh.nix index 7cba6eb..2d103eb 100644 --- a/hosts/bifrost/services/ssh.nix +++ b/hosts/bifrost/services/ssh.nix @@ -1,6 +1,13 @@ -_: { +{ config, ... }: +let facts = config.nodeconfig.facts; in { + networking.firewall.interfaces.ens3.allowedTCPPorts = [ 22 ]; services.openssh = { enable = true; + openFirewall = false; + listenAddresses = [ + { addr = facts.wireguard-ip; port = 22; } + { addr = facts.local-ip; port = 22; } + ]; settings = { KbdInteractiveAuthentication = false; PasswordAuthentication = false; diff --git a/hosts/layne/default.nix b/hosts/layne/default.nix index b6aaaed..91cc5ca 100644 --- a/hosts/layne/default.nix +++ b/hosts/layne/default.nix @@ -12,6 +12,11 @@ _: { minimize = true; nix.auto-gc = true; is-server = true; + facts = { + external-ip = null; + local-ip = "192.168.1.14"; + wireguard-ip = "10.10.10.14"; + }; }; environment.sessionVariables = { diff --git a/hosts/layne/network/default.nix b/hosts/layne/network/default.nix index fb8bae9..19c8d76 100644 --- a/hosts/layne/network/default.nix +++ b/hosts/layne/network/default.nix @@ -40,5 +40,6 @@ "10.10.10.12" ]; useNetworkd = true; + nftables.enable = true; }; } diff --git a/hosts/layne/network/wireguard.nix b/hosts/layne/network/wireguard.nix index b71c6b8..16fdd06 100644 --- a/hosts/layne/network/wireguard.nix +++ b/hosts/layne/network/wireguard.nix @@ -1,8 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/layne/pk" = { mode = "400"; @@ -21,7 +18,7 @@ in listenPort = 51834; privateKeyFile = config.sops.secrets."wireguard/layne/pk".path; address = [ - "10.10.10.14/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/hosts/rico0/default.nix b/hosts/rico0/default.nix index 3a02364..6839a4d 100644 --- a/hosts/rico0/default.nix +++ b/hosts/rico0/default.nix @@ -13,6 +13,11 @@ _: { nix.auto-gc = true; is-pi = true; is-server = true; + facts = { + external-ip = null; + local-ip = "192.168.1.10"; + wireguard-ip = "10.10.10.10"; + }; }; i18n = { diff --git a/hosts/rico0/network/default.nix b/hosts/rico0/network/default.nix index fb8bae9..4b1cc11 100644 --- a/hosts/rico0/network/default.nix +++ b/hosts/rico0/network/default.nix @@ -1,7 +1,7 @@ -{ lib, ... }: -{ +{ lib, ... }: { imports = [ ./wireguard.nix ]; systemd = { + network = { enable = true; wait-online.enable = false; diff --git a/hosts/rico0/network/wireguard.nix b/hosts/rico0/network/wireguard.nix index 25972de..4ef39ad 100644 --- a/hosts/rico0/network/wireguard.nix +++ b/hosts/rico0/network/wireguard.nix @@ -1,8 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/rico0/pk" = { mode = "400"; @@ -21,7 +18,7 @@ in listenPort = 51830; privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; address = [ - "10.10.10.10/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/hosts/rico1/default.nix b/hosts/rico1/default.nix index 3a02364..016c70e 100644 --- a/hosts/rico1/default.nix +++ b/hosts/rico1/default.nix @@ -13,6 +13,11 @@ _: { nix.auto-gc = true; is-pi = true; is-server = true; + facts = { + external-ip = null; + local-ip = "192.168.1.11"; + wireguard-ip = "10.10.10.11"; + }; }; i18n = { diff --git a/hosts/rico1/network/default.nix b/hosts/rico1/network/default.nix index fb8bae9..6fd5b56 100644 --- a/hosts/rico1/network/default.nix +++ b/hosts/rico1/network/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: -{ +{ lib, ... }: { imports = [ ./wireguard.nix ]; + systemd = { network = { enable = true; diff --git a/hosts/rico1/network/wireguard.nix b/hosts/rico1/network/wireguard.nix index d274212..b3ed27b 100644 --- a/hosts/rico1/network/wireguard.nix +++ b/hosts/rico1/network/wireguard.nix @@ -1,8 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/rico1/pk" = { mode = "400"; @@ -21,7 +18,7 @@ in listenPort = 51831; privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; address = [ - "10.10.10.11/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/hosts/rico2/default.nix b/hosts/rico2/default.nix index 3a02364..afafe34 100644 --- a/hosts/rico2/default.nix +++ b/hosts/rico2/default.nix @@ -13,6 +13,11 @@ _: { nix.auto-gc = true; is-pi = true; is-server = true; + facts = { + external-ip = null; + local-ip = "192.168.1.12"; + wireguard-ip = "10.10.10.12"; + }; }; i18n = { diff --git a/hosts/rico2/network/default.nix b/hosts/rico2/network/default.nix index fb8bae9..6fd5b56 100644 --- a/hosts/rico2/network/default.nix +++ b/hosts/rico2/network/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: -{ +{ lib, ... }: { imports = [ ./wireguard.nix ]; + systemd = { network = { enable = true; diff --git a/hosts/rico2/network/wireguard.nix b/hosts/rico2/network/wireguard.nix index d987e0d..79bf461 100644 --- a/hosts/rico2/network/wireguard.nix +++ b/hosts/rico2/network/wireguard.nix @@ -1,8 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/rico2/pk" = { mode = "400"; @@ -21,7 +18,7 @@ in listenPort = 51832; privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path; address = [ - "10.10.10.12/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/hosts/shared/prometheus-exporters.nix b/hosts/shared/prometheus-exporters.nix index 5740117..09c650a 100644 --- a/hosts/shared/prometheus-exporters.nix +++ b/hosts/shared/prometheus-exporters.nix @@ -1,8 +1,4 @@ -{ lib, config, ... }: -let - inherit (import ./caddy-helpers.nix) logFormat; -in -{ +{ lib, config, ... }: { services = { caddy = let @@ -10,9 +6,7 @@ in in { virtualHosts."${vHost}" = { - inherit logFormat; extraConfig = '' - metrics /caddy-metrics handle /metrics { reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port} } diff --git a/hosts/wynne/default.nix b/hosts/wynne/default.nix index b29dd07..c924101 100644 --- a/hosts/wynne/default.nix +++ b/hosts/wynne/default.nix @@ -11,6 +11,11 @@ _: { minimize = true; nix.auto-gc = true; is-server = true; + facts = { + external-ip = null; + local-ip = "192.168.1.13"; + wireguard-ip = "10.10.10.13"; + }; }; environment.sessionVariables = { diff --git a/hosts/wynne/network/default.nix b/hosts/wynne/network/default.nix index fb8bae9..6fd5b56 100644 --- a/hosts/wynne/network/default.nix +++ b/hosts/wynne/network/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: -{ +{ lib, ... }: { imports = [ ./wireguard.nix ]; + systemd = { network = { enable = true; diff --git a/hosts/wynne/network/wireguard.nix b/hosts/wynne/network/wireguard.nix index 9558cdc..b2040e0 100644 --- a/hosts/wynne/network/wireguard.nix +++ b/hosts/wynne/network/wireguard.nix @@ -1,8 +1,5 @@ { config, ... }: -let - wireguard-peers = import ../../shared/wireguard-peers.nix; -in -{ +let wireguard-peers = import ../../shared/wireguard-peers.nix; in { sops.secrets = { "wireguard/wynne/pk" = { mode = "400"; @@ -21,7 +18,7 @@ in listenPort = 51833; privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; address = [ - "10.10.10.13/24" + "${config.nodeconfig.facts.wireguard-ip}/24" ]; dns = [ "10.10.10.11" "10.10.10.12" ]; peers = with wireguard-peers; [ diff --git a/modules/facts.nix b/modules/facts.nix index 07b2c75..1e00f06 100644 --- a/modules/facts.nix +++ b/modules/facts.nix @@ -2,11 +2,23 @@ options.nodeconfig = { facts = { wireguard-ip = lib.mkOption { - type = lib.types.str; + type = lib.types.nullOr lib.types.str; default = null; example = "10.0.0.1"; description = "Wireguard IP of the node"; }; + local-ip = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "192.168.1.1"; + description = "Local IP of the node"; + }; + external-ip = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "11.1.1.2"; + description = "Public facing IP of the node"; + }; }; }; }