treewide: Remove birdsong in favour of Tailscale

2025-06-09 16:58:28 +01:00 · 2025-06-09 16:58:28 +01:00 · 41cc006b96
commit 41cc006b96
parent dbb7af7846
20 changed files with 4 additions and 157 deletions
--- a/flake.lock
+++ b/flake.lock
@ -23,22 +23,6 @@
        "type": "github"
      }
    },
-    "birdsong": {
-      "locked": {
-        "lastModified": 1747153132,
-        "narHash": "sha256-sGFCyWhTcI4TP+4ZlZniBEF41NWyKrojfpsHP7ld54c=",
-        "ref": "main",
-        "rev": "9955b1ae4eb0cbeff2ae0ed6520e651753880445",
-        "revCount": 23,
-        "type": "git",
-        "url": "https://git.qenya.tel/qenya/birdsong"
-      },
-      "original": {
-        "ref": "main",
-        "type": "git",
-        "url": "https://git.qenya.tel/qenya/birdsong"
-      }
-    },
    "colmena": {
      "inputs": {
        "flake-compat": [],
@ -349,7 +333,6 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "birdsong": "birdsong",
        "colmena": "colmena",
        "firefox-addons": "firefox-addons",
        "flake-parts": "flake-parts",
--- a/flake.nix
+++ b/flake.nix
@ -54,8 +54,6 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

-    birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main";
-
    scoutshonour = {
      url = "git+https://git.qenya.tel/qenya/nix-scoutshonour?ref=main";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -149,7 +147,6 @@
            imports = [
              inputs.lix-module.nixosModules.default
              inputs.agenix.nixosModules.default
-              inputs.birdsong.nixosModules.default
              ./common
              ./services
              (builtins.toPath "${inputs.randomcat}/services/default.nix")
--- a/hosts/elucredassa/networking.nix
+++ b/hosts/elucredassa/networking.nix
@ -33,16 +33,4 @@
    networkConfig.Address = [ "2001:470:1f1c:3e::2/64" ];
    routes = [{ Destination = [ "::/0" ]; }];
  };
-
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = "/etc/wireguard/privatekey";
-    persistentKeepalive = 29;
-  };
-
-  # restricted to fit within the 6in4 tunnel
-  systemd.network.netdevs."30-birdsong".netdevConfig.MTUBytes = 1280;
-  # these two lines work around this bug: https://github.com/NixOS/nixpkgs/issues/375960
-  systemd.network.netdevs."30-birdsong".netdevConfig.Kind = "wireguard";
-  systemd.network.netdevs."30-birdsong".netdevConfig.Name = "wg-birdsong";
 }
--- a/hosts/kalessin/networking.nix
+++ b/hosts/kalessin/networking.nix
@ -3,16 +3,4 @@
 {
  networking.useNetworkd = true;
  networking.interfaces.enp0s6.useDHCP = true;
-
-  age.secrets.wireguard-peer-kalessin = {
-    file = ../../secrets/wireguard-peer-kalessin.age;
-    owner = "root";
-    group = "systemd-network";
-    mode = "640";
-  };
-
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = config.age.secrets.wireguard-peer-kalessin.path;
-  };
 }
--- a/hosts/kilgharrah/networking.nix
+++ b/hosts/kilgharrah/networking.nix
@ -12,17 +12,4 @@
    };
    linkConfig.RequiredForOnline = "routable";
  };
-
-  age.secrets.wireguard-peer-kilgharrah = {
-    file = ../../secrets/wireguard-peer-kilgharrah.age;
-    owner = "root";
-    group = "systemd-network";
-    mode = "640";
-  };
-
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path;
-    persistentKeepalive = 31;
-  };
 }
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@ -44,17 +44,15 @@
      # TODO: fix SSL
      # ssl = true;
    };
-    # only allow remote connections from within birdsong vpn
-    # TODO: don't hardcode the IP addresses
-    # TODO: move to tailscale
+    # only allow remote connections from within Tailscale
    authentication = pkgs.lib.mkOverride 10 ''
      #type database  DBuser  auth-method
      local all       all     trust   # used by nixos for local monitoring
-      host  sameuser  all     10.127.0.0/16 scram-sha-256
-      host  sameuser  all     fd70:81ca:f8f::/48 scram-sha-256
+      host  sameuser  all     100.64.0.0/10 scram-sha-256
+      host  sameuser  all     fd7a:115c:a1e0::/48 scram-sha-256
    '';
  };
-  networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ];
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5432 ];

  qenya.services.actual = {
    enable = true;
--- a/hosts/orm/networking.nix
+++ b/hosts/orm/networking.nix
@ -3,16 +3,4 @@
 {
  networking.useNetworkd = true;
  networking.interfaces.ens3.useDHCP = true;
-
-  age.secrets.wireguard-peer-orm = {
-    file = ../../secrets/wireguard-peer-orm.age;
-    owner = "root";
-    group = "systemd-network";
-    mode = "640";
-  };
-
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = config.age.secrets.wireguard-peer-orm.path;
-  };
 }
--- a/hosts/tohru/networking.nix
+++ b/hosts/tohru/networking.nix
@ -5,17 +5,4 @@
  systemd.network.wait-online.enable = false;
  
  networking.networkmanager.enable = true;
-
-  age.secrets.wireguard-peer-tohru = {
-    file = ../../secrets/wireguard-peer-tohru.age;
-    owner = "root";
-    group = "systemd-network";
-    mode = "640";
-  };
-  
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = config.age.secrets.wireguard-peer-tohru.path;
-    persistentKeepalive = 23;
-  };
 }
--- a/hosts/yevaud/networking.nix
+++ b/hosts/yevaud/networking.nix
@ -3,16 +3,4 @@
 {
  networking.useNetworkd = true;
  networking.interfaces.ens3.useDHCP = true;
-
-  age.secrets.wireguard-peer-yevaud = {
-    file = ../../secrets/wireguard-peer-yevaud.age;
-    owner = "root";
-    group = "systemd-network";
-    mode = "640";
-  };
-
-  birdsong.peering = {
-    enable = true;
-    privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path;
-  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -5,11 +5,6 @@ let
    ftp-userDb-qenya = [ machines.kilgharrah ] ++ keys.users.qenya;
    user-password-kilgharrah-qenya = [ machines.kilgharrah ] ++ keys.users.qenya;
    user-password-tohru-qenya = [ machines.tohru ] ++ keys.users.qenya;
-    wireguard-peer-orm = [ machines.orm ] ++ keys.users.qenya;
-    wireguard-peer-tohru = [ machines.tohru ] ++ keys.users.qenya;
-    wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya;
-    wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya;
-    wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya;
    protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya;
  };
 in
--- a/secrets/wireguard-peer-kalessin.age
+++ b/secrets/wireguard-peer-kalessin.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 QjA8rQ eBORfw+iHPPMYgYQc2gTD9j/QEr36fVFCGYtVX2bGBQ
-TH/XvVgv7ugjzL6a8bffLq/dj5IUbZtCXkJ+XefxURc
-> ssh-ed25519 seJ9Iw fLYNcU2XjiryoOx1gEH9pDMOpfmLsvrcslplL2fFwCI
-Wn5KlABSx6mJYvVKO5zXq4VA0SIV5s5WztPIwGLFWG0
-> ssh-ed25519 900ILw wW6lbItZyxelxyTXVLIkInWshc4DtOjGelcm4ixE8kg
-/F7kp3AS68QHBitbkZGm9CNF26uw+GtdrTTyYiW6/6E
--- 4t+IrAJ6k/x8FMXiELoDXJICWv7QUcwBRmzKEt+/1+I
-å:wQ‘ÌO’ r«‡Å½ª:PŒ½Ë„¶ªÒæ9ÆG¸˜Tèr³“½cù|îÍ6|‹çíƒÅ4ïˆû†××}½ÒŸ3c©Î€-Jƒè°-Œ!
--- a/secrets/wireguard-peer-kalessin.pub
+++ b/secrets/wireguard-peer-kalessin.pub
@ -1 +0,0 @@
-9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ=
--- a/secrets/wireguard-peer-kilgharrah.age
+++ b/secrets/wireguard-peer-kilgharrah.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 5PK5ag WsUZWedml5fBAIEog+puLADcitY0uKJttT7ABUIjnnY
-IZbF1yTctMOJWOW7A/EIlMC1pfpFR5TLghShF4wpXW8
-> ssh-ed25519 seJ9Iw OHLAn4ZU6QZ/rv0kzh3q2A502XbNtCt05tJUSnv2MhY
-OQ2kxhsFGmCKHlVINHdbDRKbAOFWaSFmf/epGcUJLuE
-> ssh-ed25519 900ILw CcGgENZiqjRLC7pJSzfluC38thwWX/iTeWc9dPgHcjw
-Q+IWIEfOaros+rDLJIbzdOndLZMACQjVqebIrYsjvnc
--- uhddG2mrqw+pfDInK0hrzH6BuT2CfmUw/QAkhLD24YY
-<19>®:“ßg~4böuÚ’—%ªò¤¦!4K<>Ú“šâÓ‘^ÝÆ•¢ÆÁ`¥®A¨ƒîº«j!_åPó©³w#@"´¸7{‚˜ÿ%Yo
--- a/secrets/wireguard-peer-kilgharrah.pub
+++ b/secrets/wireguard-peer-kilgharrah.pub
@ -1 +0,0 @@
-LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA=
--- a/secrets/wireguard-peer-orm.age
+++ b/secrets/wireguard-peer-orm.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 l/RSAw d62ed4GntqcH7w0Qm7La/1GXBnWbAkrHekt3R/ssuwY
-4XrxbvJ4CjPJuJ7oGuoxuhb2/VTI6XUjvI0XQmamtPk
-> ssh-ed25519 seJ9Iw ykj+pdFOkHdCxaotW+SxWQzK6VMMbSaREbx9r7rMIl0
-XEB7ic2SlNQf6C0M3rm9h9D04FYtDkeBobZWnbgQDck
-> ssh-ed25519 900ILw 29vJoPdoyapdB47hK5p1u4daaJbNrwAv+7ndoPB6VCo
-m+sOCPiD3MbEJycIgLa24QU5ILna9UI5Luigvv9k2T4
--- 7HDSsngCFsU9GywCc+8/txXsBwcoFWZ7D4/iTbSbtzs
-er\ñ#<23>ÌZÂfý\zd óèÚÄ×ÛÇÅð<C385>Wîu•‰(ºý´‘5ÙÇx_#NÌ«–ø¦<>
-0y—DDa+>‘FÓˆ«X^ÃÕu8e
--- a/secrets/wireguard-peer-orm.pub
+++ b/secrets/wireguard-peer-orm.pub
@ -1 +0,0 @@
-birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=
--- a/secrets/wireguard-peer-tohru.age
+++ b/secrets/wireguard-peer-tohru.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 yZzWlg o1Jax+v/jJ2ayNLw0Z97iA1sjZrK5t266LyZYaj/3nk
-rTjIt9vcSdkOohnDBbFMR5iJnJGlIEQU34h1SafofeI
-> ssh-ed25519 seJ9Iw 2EsG0EUBCiaPk/mgADGydGGX72K1q9hKDj/abp8nvVw
-5CMR/jpg1o9uQ986L+An6x60SnUrVGVVXXo+CCU3UfE
-> ssh-ed25519 900ILw InEzPKOEkoQ/tp4T3mo9/TMvWtLYqlsdkdV4fhkBLwg
-xCupfNr2jilKtPnjBYv234qUE6ont4ofgY3bwtQUY6I
--- 4c4R1a8GkNXDS4zThBBIKvMrXK3zqNvc7hK8VWLCB4I
-Ù³
Û«‚›-®Ú®´ò¿ÙV+¿ 3~8þL±RÕ‚¬Ê2¶Rb6ç"ÂO‰<4F>ùpM•×áÃËOÆ5Cº–Žº&<26>Ç.EE³1_ó{
--- a/secrets/wireguard-peer-tohru.pub
+++ b/secrets/wireguard-peer-tohru.pub
@ -1 +0,0 @@
-lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18=
--- a/secrets/wireguard-peer-yevaud.age
+++ b/secrets/wireguard-peer-yevaud.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 uJfgGw PrfPHcOs1dZCPi2rdkj1Ep2eAQS54LRiNizpfECwbD8
-JWjQDy22aRWJpLxCqmbO8+Qf7uUe419uwBHQSdlZkW8
-> ssh-ed25519 seJ9Iw DMpu+V3zziwZNwGFl0VBddbAxOy3BjzqiH1ifNm50xA
-U+F1KGWiuwPGG8W2C3/bV870z4teKbPYS8Avhnfz/Jw
-> ssh-ed25519 900ILw CtQ5lpYLMQXGbTWWmz2f4Ya/LWg1cYETOn9yq6p7eX4
-L1tS98YRFqe43XGBRxvnZFOzsC1crcL9kbHI2y5UFwE
--- jHmFvmZH+RuZo+PFDyQyaiLi85Q8akJsOC0xpM0Raj4
-Ëz•~žê}ƒ_PÂTxÐÿûãÚ)P|Áÿ,ÛÄ%Z	ò9sÎ¦õQ(bm¸µ¸‰ò×ùûŸ¦o‡ÿY?¸VY¯
-aÀÖÅXR·
--- a/secrets/wireguard-peer-yevaud.pub
+++ b/secrets/wireguard-peer-yevaud.pub
@ -1 +0,0 @@
-YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw=
				`@ -1 +0,0 @@`
				`9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ=`
				`@ -1 +0,0 @@`
				`LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA=`
				`@ -1 +0,0 @@`
				`birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA=`
				`@ -1 +0,0 @@`
				`lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18=`
				`@ -1 +0,0 @@`
				`YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw=`