diff --git a/flake.lock b/flake.lock index 696a3cf..9e42292 100644 --- a/flake.lock +++ b/flake.lock @@ -23,22 +23,6 @@ "type": "github" } }, - "birdsong": { - "locked": { - "lastModified": 1747153132, - "narHash": "sha256-sGFCyWhTcI4TP+4ZlZniBEF41NWyKrojfpsHP7ld54c=", - "ref": "main", - "rev": "9955b1ae4eb0cbeff2ae0ed6520e651753880445", - "revCount": 23, - "type": "git", - "url": "https://git.qenya.tel/qenya/birdsong" - }, - "original": { - "ref": "main", - "type": "git", - "url": "https://git.qenya.tel/qenya/birdsong" - } - }, "colmena": { "inputs": { "flake-compat": [], @@ -349,7 +333,6 @@ "root": { "inputs": { "agenix": "agenix", - "birdsong": "birdsong", "colmena": "colmena", "firefox-addons": "firefox-addons", "flake-parts": "flake-parts", diff --git a/flake.nix b/flake.nix index 3766dee..3fcba00 100644 --- a/flake.nix +++ b/flake.nix @@ -54,8 +54,6 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; - scoutshonour = { url = "git+https://git.qenya.tel/qenya/nix-scoutshonour?ref=main"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -149,7 +147,6 @@ imports = [ inputs.lix-module.nixosModules.default inputs.agenix.nixosModules.default - inputs.birdsong.nixosModules.default ./common ./services (builtins.toPath "${inputs.randomcat}/services/default.nix") diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix index 6e7ace7..82b4e96 100644 --- a/hosts/elucredassa/networking.nix +++ b/hosts/elucredassa/networking.nix @@ -33,16 +33,4 @@ networkConfig.Address = [ "2001:470:1f1c:3e::2/64" ]; routes = [{ Destination = [ "::/0" ]; }]; }; - - birdsong.peering = { - enable = true; - privateKeyFile = "/etc/wireguard/privatekey"; - persistentKeepalive = 29; - }; - - # restricted to fit within the 6in4 tunnel - systemd.network.netdevs."30-birdsong".netdevConfig.MTUBytes = 1280; - # these two lines work around this bug: https://github.com/NixOS/nixpkgs/issues/375960 - systemd.network.netdevs."30-birdsong".netdevConfig.Kind = "wireguard"; - systemd.network.netdevs."30-birdsong".netdevConfig.Name = "wg-birdsong"; } diff --git a/hosts/kalessin/networking.nix b/hosts/kalessin/networking.nix index b5ce574..3c27781 100644 --- a/hosts/kalessin/networking.nix +++ b/hosts/kalessin/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.enp0s6.useDHCP = true; - - age.secrets.wireguard-peer-kalessin = { - file = ../../secrets/wireguard-peer-kalessin.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-kalessin.path; - }; } diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index f9ae666..2db377f 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -12,17 +12,4 @@ }; linkConfig.RequiredForOnline = "routable"; }; - - age.secrets.wireguard-peer-kilgharrah = { - file = ../../secrets/wireguard-peer-kilgharrah.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path; - persistentKeepalive = 31; - }; } diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 31c990b..dc696e9 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -44,17 +44,15 @@ # TODO: fix SSL # ssl = true; }; - # only allow remote connections from within birdsong vpn - # TODO: don't hardcode the IP addresses - # TODO: move to tailscale + # only allow remote connections from within Tailscale authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust # used by nixos for local monitoring - host sameuser all 10.127.0.0/16 scram-sha-256 - host sameuser all fd70:81ca:f8f::/48 scram-sha-256 + host sameuser all 100.64.0.0/10 scram-sha-256 + host sameuser all fd7a:115c:a1e0::/48 scram-sha-256 ''; }; - networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5432 ]; qenya.services.actual = { enable = true; diff --git a/hosts/orm/networking.nix b/hosts/orm/networking.nix index d69a0ae..9423165 100644 --- a/hosts/orm/networking.nix +++ b/hosts/orm/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.ens3.useDHCP = true; - - age.secrets.wireguard-peer-orm = { - file = ../../secrets/wireguard-peer-orm.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-orm.path; - }; } diff --git a/hosts/tohru/networking.nix b/hosts/tohru/networking.nix index 6042cc8..be3822f 100644 --- a/hosts/tohru/networking.nix +++ b/hosts/tohru/networking.nix @@ -5,17 +5,4 @@ systemd.network.wait-online.enable = false; networking.networkmanager.enable = true; - - age.secrets.wireguard-peer-tohru = { - file = ../../secrets/wireguard-peer-tohru.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; - persistentKeepalive = 23; - }; } diff --git a/hosts/yevaud/networking.nix b/hosts/yevaud/networking.nix index 31e1de8..9423165 100644 --- a/hosts/yevaud/networking.nix +++ b/hosts/yevaud/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.ens3.useDHCP = true; - - age.secrets.wireguard-peer-yevaud = { - file = ../../secrets/wireguard-peer-yevaud.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path; - }; } diff --git a/secrets.nix b/secrets.nix index 61abf6e..25ba859 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,11 +5,6 @@ let ftp-userDb-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; user-password-kilgharrah-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; user-password-tohru-qenya = [ machines.tohru ] ++ keys.users.qenya; - wireguard-peer-orm = [ machines.orm ] ++ keys.users.qenya; - wireguard-peer-tohru = [ machines.tohru ] ++ keys.users.qenya; - wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; - wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; - wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in diff --git a/secrets/wireguard-peer-kalessin.age b/secrets/wireguard-peer-kalessin.age deleted file mode 100644 index 3c7eb17..0000000 --- a/secrets/wireguard-peer-kalessin.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 QjA8rQ eBORfw+iHPPMYgYQc2gTD9j/QEr36fVFCGYtVX2bGBQ -TH/XvVgv7ugjzL6a8bffLq/dj5IUbZtCXkJ+XefxURc --> ssh-ed25519 seJ9Iw fLYNcU2XjiryoOx1gEH9pDMOpfmLsvrcslplL2fFwCI -Wn5KlABSx6mJYvVKO5zXq4VA0SIV5s5WztPIwGLFWG0 --> ssh-ed25519 900ILw wW6lbItZyxelxyTXVLIkInWshc4DtOjGelcm4ixE8kg -/F7kp3AS68QHBitbkZGm9CNF26uw+GtdrTTyYiW6/6E ---- 4t+IrAJ6k/x8FMXiELoDXJICWv7QUcwBRmzKEt+/1+I -:wQOrŽ:P˄9GTrc|6|4 }ҟ3c΀-J-! \ No newline at end of file diff --git a/secrets/wireguard-peer-kalessin.pub b/secrets/wireguard-peer-kalessin.pub deleted file mode 100644 index 0c05923..0000000 --- a/secrets/wireguard-peer-kalessin.pub +++ /dev/null @@ -1 +0,0 @@ -9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ= diff --git a/secrets/wireguard-peer-kilgharrah.age b/secrets/wireguard-peer-kilgharrah.age deleted file mode 100644 index 46cb858..0000000 --- a/secrets/wireguard-peer-kilgharrah.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 5PK5ag WsUZWedml5fBAIEog+puLADcitY0uKJttT7ABUIjnnY -IZbF1yTctMOJWOW7A/EIlMC1pfpFR5TLghShF4wpXW8 --> ssh-ed25519 seJ9Iw OHLAn4ZU6QZ/rv0kzh3q2A502XbNtCt05tJUSnv2MhY -OQ2kxhsFGmCKHlVINHdbDRKbAOFWaSFmf/epGcUJLuE --> ssh-ed25519 900ILw CcGgENZiqjRLC7pJSzfluC38thwWX/iTeWc9dPgHcjw -Q+IWIEfOaros+rDLJIbzdOndLZMACQjVqebIrYsjvnc ---- uhddG2mrqw+pfDInK0hrzH6BuT2CfmUw/QAkhLD24YY -:g~4buڒ%!4Kړӑ^ƕ`Aj!_Pw#@"7{%Yo \ No newline at end of file diff --git a/secrets/wireguard-peer-kilgharrah.pub b/secrets/wireguard-peer-kilgharrah.pub deleted file mode 100644 index fa1c28f..0000000 --- a/secrets/wireguard-peer-kilgharrah.pub +++ /dev/null @@ -1 +0,0 @@ -LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA= diff --git a/secrets/wireguard-peer-orm.age b/secrets/wireguard-peer-orm.age deleted file mode 100644 index 10fd49b..0000000 --- a/secrets/wireguard-peer-orm.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 l/RSAw d62ed4GntqcH7w0Qm7La/1GXBnWbAkrHekt3R/ssuwY -4XrxbvJ4CjPJuJ7oGuoxuhb2/VTI6XUjvI0XQmamtPk --> ssh-ed25519 seJ9Iw ykj+pdFOkHdCxaotW+SxWQzK6VMMbSaREbx9r7rMIl0 -XEB7ic2SlNQf6C0M3rm9h9D04FYtDkeBobZWnbgQDck --> ssh-ed25519 900ILw 29vJoPdoyapdB47hK5p1u4daaJbNrwAv+7ndoPB6VCo -m+sOCPiD3MbEJycIgLa24QU5ILna9UI5Luigvv9k2T4 ---- 7HDSsngCFsU9GywCc+8/txXsBwcoFWZ7D4/iTbSbtzs -er\#Zf\zd Wu( 5x_#N̫ -0yDDa+>FӈX^u8e \ No newline at end of file diff --git a/secrets/wireguard-peer-orm.pub b/secrets/wireguard-peer-orm.pub deleted file mode 100644 index c6f541c..0000000 --- a/secrets/wireguard-peer-orm.pub +++ /dev/null @@ -1 +0,0 @@ -birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA= diff --git a/secrets/wireguard-peer-tohru.age b/secrets/wireguard-peer-tohru.age deleted file mode 100644 index f12a515..0000000 --- a/secrets/wireguard-peer-tohru.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 yZzWlg o1Jax+v/jJ2ayNLw0Z97iA1sjZrK5t266LyZYaj/3nk -rTjIt9vcSdkOohnDBbFMR5iJnJGlIEQU34h1SafofeI --> ssh-ed25519 seJ9Iw 2EsG0EUBCiaPk/mgADGydGGX72K1q9hKDj/abp8nvVw -5CMR/jpg1o9uQ986L+An6x60SnUrVGVVXXo+CCU3UfE --> ssh-ed25519 900ILw InEzPKOEkoQ/tp4T3mo9/TMvWtLYqlsdkdV4fhkBLwg -xCupfNr2jilKtPnjBYv234qUE6ont4ofgY3bwtQUY6I ---- 4c4R1a8GkNXDS4zThBBIKvMrXK3zqNvc7hK8VWLCB4I -ٳ ۫-ڮV+ 3~8LRՂ 2Rb6"OpMO5C&.EE1_{ \ No newline at end of file diff --git a/secrets/wireguard-peer-tohru.pub b/secrets/wireguard-peer-tohru.pub deleted file mode 100644 index 6930ed6..0000000 --- a/secrets/wireguard-peer-tohru.pub +++ /dev/null @@ -1 +0,0 @@ -lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18= diff --git a/secrets/wireguard-peer-yevaud.age b/secrets/wireguard-peer-yevaud.age deleted file mode 100644 index f85c4b0..0000000 --- a/secrets/wireguard-peer-yevaud.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uJfgGw PrfPHcOs1dZCPi2rdkj1Ep2eAQS54LRiNizpfECwbD8 -JWjQDy22aRWJpLxCqmbO8+Qf7uUe419uwBHQSdlZkW8 --> ssh-ed25519 seJ9Iw DMpu+V3zziwZNwGFl0VBddbAxOy3BjzqiH1ifNm50xA -U+F1KGWiuwPGG8W2C3/bV870z4teKbPYS8Avhnfz/Jw --> ssh-ed25519 900ILw CtQ5lpYLMQXGbTWWmz2f4Ya/LWg1cYETOn9yq6p7eX4 -L1tS98YRFqe43XGBRxvnZFOzsC1crcL9kbHI2y5UFwE ---- jHmFvmZH+RuZo+PFDyQyaiLi85Q8akJsOC0xpM0Raj4 -z~}_PTx)P|,%Z 9sΦQ(bmoY?VY -aXR \ No newline at end of file diff --git a/secrets/wireguard-peer-yevaud.pub b/secrets/wireguard-peer-yevaud.pub deleted file mode 100644 index 871b993..0000000 --- a/secrets/wireguard-peer-yevaud.pub +++ /dev/null @@ -1 +0,0 @@ -YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw=