adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some cleanups

Browse source
This commit is contained in:
Adithya 2024-11-17 10:28:43 +05:30
parent d053b70338
commit beb635d6db
Signed by: adtya
GPG key ID: B8857BFBA2C47B9C
21 changed files with 76 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
hosts/bifrost/default.nix
View file

@ -10,6 +10,11 @@
nodeconfig = { nodeconfig = {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
facts = {
external-ip = "128.199.30.141";
local-ip = "10.122.0.3";
wireguard-ip = "10.10.10.1";
};
}; };
i18n = { i18n = {

3
hosts/bifrost/network/default.nix
View file

@ -1,6 +1,8 @@
{ lib, ... }: { { lib, ... }: {
imports = [ ./wireguard.nix ]; imports = [ ./wireguard.nix ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
systemd = { systemd = {
network = { network = {
enable = true; enable = true;
@ -42,6 +44,7 @@
]; ];
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
useNetworkd = true; useNetworkd = true;
nftables.enable = true;
}; };
} }

8
hosts/bifrost/network/wireguard.nix
View file

@ -1,9 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../../shared/wireguard-peers.nix;
in
{
nodeconfig.facts.wireguard-ip = "10.10.10.1";
sops.secrets = { sops.secrets = {
"wireguard/bifrost/pk" = { "wireguard/bifrost/pk" = {
mode = "400"; mode = "400";
@ -22,7 +18,7 @@ in
listenPort = 51821; listenPort = 51821;
privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path; privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path;
address = [ address = [
"10.10.10.1/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

9
hosts/bifrost/services/ssh.nix
View file

@ -1,6 +1,13 @@
_: { { config, ... }:
let facts = config.nodeconfig.facts; in {
networking.firewall.interfaces.ens3.allowedTCPPorts = [ 22 ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = false;
listenAddresses = [
{ addr = facts.wireguard-ip; port = 22; }
{ addr = facts.local-ip; port = 22; }
];
settings = { settings = {
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
PasswordAuthentication = false; PasswordAuthentication = false;

5
hosts/layne/default.nix
View file

@ -12,6 +12,11 @@ _: {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.14";
wireguard-ip = "10.10.10.14";
};
}; };
environment.sessionVariables = { environment.sessionVariables = {

1
hosts/layne/network/default.nix
View file

@ -40,5 +40,6 @@
"10.10.10.12" "10.10.10.12"
]; ];
useNetworkd = true; useNetworkd = true;
nftables.enable = true;
}; };
} }

7
hosts/layne/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/layne/pk" = { "wireguard/layne/pk" = {
mode = "400"; mode = "400";
@ -21,7 +18,7 @@ in
listenPort = 51834; listenPort = 51834;
privateKeyFile = config.sops.secrets."wireguard/layne/pk".path; privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
address = [ address = [
"10.10.10.14/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

5
hosts/rico0/default.nix
View file

@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.10";
wireguard-ip = "10.10.10.10";
};
}; };
i18n = { i18n = {

4
hosts/rico0/network/default.nix
View file

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }: {
{
imports = [ ./wireguard.nix ]; imports = [ ./wireguard.nix ];
systemd = { systemd = {
network = { network = {
enable = true; enable = true;
wait-online.enable = false; wait-online.enable = false;

7
hosts/rico0/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/rico0/pk" = { "wireguard/rico0/pk" = {
mode = "400"; mode = "400";
@ -21,7 +18,7 @@ in
listenPort = 51830; listenPort = 51830;
privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
address = [ address = [
"10.10.10.10/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

5
hosts/rico1/default.nix
View file

@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.11";
wireguard-ip = "10.10.10.11";
};
}; };
i18n = { i18n = {

4
hosts/rico1/network/default.nix
View file

@ -1,6 +1,6 @@
{ lib, ... }: { lib, ... }: {
{
imports = [ ./wireguard.nix ]; imports = [ ./wireguard.nix ];
systemd = { systemd = {
network = { network = {
enable = true; enable = true;

7
hosts/rico1/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/rico1/pk" = { "wireguard/rico1/pk" = {
mode = "400"; mode = "400";
@ -21,7 +18,7 @@ in
listenPort = 51831; listenPort = 51831;
privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
address = [ address = [
"10.10.10.11/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

5
hosts/rico2/default.nix
View file

@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.12";
wireguard-ip = "10.10.10.12";
};
}; };
i18n = { i18n = {

4
hosts/rico2/network/default.nix
View file

@ -1,6 +1,6 @@
{ lib, ... }: { lib, ... }: {
{
imports = [ ./wireguard.nix ]; imports = [ ./wireguard.nix ];
systemd = { systemd = {
network = { network = {
enable = true; enable = true;

7
hosts/rico2/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../shared/wireguard-peers.nix; in {
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/rico2/pk" = { "wireguard/rico2/pk" = {
mode = "400"; mode = "400";
@ -21,7 +18,7 @@ in
listenPort = 51832; listenPort = 51832;
privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path; privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
address = [ address = [
"10.10.10.12/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

8
hosts/shared/prometheus-exporters.nix
View file

@ -1,8 +1,4 @@
{ lib, config, ... }: { lib, config, ... }: {
let
inherit (import ./caddy-helpers.nix) logFormat;
in
{
services = { services = {
caddy = caddy =
let let
@ -10,9 +6,7 @@ in
in in
{ {
virtualHosts."${vHost}" = { virtualHosts."${vHost}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
metrics /caddy-metrics
handle /metrics { handle /metrics {
reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port} reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}
} }

5
hosts/wynne/default.nix
View file

@ -11,6 +11,11 @@ _: {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.13";
wireguard-ip = "10.10.10.13";
};
}; };
environment.sessionVariables = { environment.sessionVariables = {

4
hosts/wynne/network/default.nix
View file

@ -1,6 +1,6 @@
{ lib, ... }: { lib, ... }: {
{
imports = [ ./wireguard.nix ]; imports = [ ./wireguard.nix ];
systemd = { systemd = {
network = { network = {
enable = true; enable = true;

7
hosts/wynne/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/wynne/pk" = { "wireguard/wynne/pk" = {
mode = "400"; mode = "400";
@ -21,7 +18,7 @@ in
listenPort = 51833; listenPort = 51833;
privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
address = [ address = [
"10.10.10.13/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [

14
modules/facts.nix
View file

@ -2,11 +2,23 @@
options.nodeconfig = { options.nodeconfig = {
facts = { facts = {
wireguard-ip = lib.mkOption { wireguard-ip = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
example = "10.0.0.1"; example = "10.0.0.1";
description = "Wireguard IP of the node"; description = "Wireguard IP of the node";
}; };
local-ip = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "192.168.1.1";
description = "Local IP of the node";
};
external-ip = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "11.1.1.2";
description = "Public facing IP of the node";
};
}; };
}; };
} }