diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index c2d4639..2a8fdae 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -4,9 +4,6 @@ imports = [ ./hardware-configuration.nix ./networking.nix - - ./experiments/birdsong-dns.nix - ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; @@ -17,6 +14,36 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; + services.bind = { + # enable = true; + cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; + forwarders = [ ]; + listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; + listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; + zones = { + "birdsong.internal" = { + master = true; + # TODO: pick better email address for SOA record + file = pkgs.writeText "birdsong.internal.zone" '' + $TTL 60 + $ORIGIN birdsong.internal. + + birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) + birdsong.internal. IN NS ns.birdsong.internal. + + yevaud.c.birdsong.internal. IN A 10.127.1.1 + yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + + ns.birdsong.internal. IN A 10.127.1.1 + ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + ''; + }; + }; + }; + networking.resolvconf.useLocalResolver = false; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + randomcat.services.zfs.datasets = { "rpool/state" = { mountpoint = "none"; }; "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; diff --git a/hosts/yevaud/experiments/birdsong-dns.nix b/hosts/yevaud/experiments/birdsong-dns.nix deleted file mode 100644 index 036e499..0000000 --- a/hosts/yevaud/experiments/birdsong-dns.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.bind = { - # enable = true; - cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; - forwarders = [ ]; - listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; - listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; - zones = { - "birdsong.internal" = { - master = true; - # TODO: pick better email address for SOA record - file = pkgs.writeText "birdsong.internal.zone" '' - $TTL 60 - $ORIGIN birdsong.internal. - - birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) - birdsong.internal. IN NS ns.birdsong.internal. - - yevaud.c.birdsong.internal. IN A 10.127.1.1 - yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - - ns.birdsong.internal. IN A 10.127.1.1 - ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - ''; - }; - }; - }; - networking.resolvconf.useLocalResolver = false; - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; -} diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix deleted file mode 100644 index 98e84c6..0000000 --- a/hosts/yevaud/experiments/pennykettle.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; - networking.nat.externalInterface = "ens3"; - networking.firewall.allowedUDPPorts = [ 51821 ]; - - containers."pennykettle1" = { - privateNetwork = true; - extraVeths."ve-pennykettle1" = { - hostAddress = "10.235.1.1"; - localAddress = "10.235.2.1"; - forwardPorts = [{ hostPort = 51821; }]; - }; - ephemeral = true; - autoStart = true; - bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path; - - config = { config, pkgs, ... }: { - system.stateVersion = "24.05"; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.useDHCP = false; - networking.useHostResolvConf = false; - networking.firewall.allowedUDPPorts = [ 51821 ]; - systemd.network = { - enable = true; - - networks."10-ve" = { - matchConfig.Name = "ve-pennykettle1"; - networkConfig.Address = "10.235.2.1/32"; - # linkConfig.RequiredForOnline = "routable"; - routes = [{ - routeConfig = { - Gateway = "10.235.1.1"; - Destination = "217.138.216.162/32"; - }; - }]; - }; - - networks."30-protonvpn" = { - matchConfig.Name = "wg-protonvpn"; - networkConfig = { - DefaultRouteOnDevice = true; - Address = [ "10.2.0.2/32" ]; - DNS = "10.2.0.1"; - }; - linkConfig = { - RequiredForOnline = "yes"; - ActivationPolicy = "always-up"; - }; - }; - - netdevs."30-protonvpn" = { - netdevConfig = { - Name = "wg-protonvpn"; - Kind = "wireguard"; - Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; - }; - wireguardConfig = { - ListenPort = 51821; - PrivateKeyFile = "/run/secrets/wg-key"; - }; - wireguardPeers = [{ - wireguardPeerConfig = { - PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = "0.0.0.0/0"; - Endpoint = "217.138.216.162:51820"; - PersistentKeepalive = 5; - }; - }]; - }; - }; - }; - }; - - age.secrets.protonvpn-pennykettle1 = { - file = ../../../secrets/protonvpn-pennykettle1.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; -} \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 61abf6e..82036db 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,7 +10,6 @@ let wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; - protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in builtins.listToAttrs ( diff --git a/secrets/protonvpn-pennykettle1.age b/secrets/protonvpn-pennykettle1.age deleted file mode 100644 index e58dc56..0000000 --- a/secrets/protonvpn-pennykettle1.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o -eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0 --> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA -wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860 --> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk -KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y ---- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c -a'|N7NT5]O0Sm<-1:dg^/u7N?XM~s.9cC \ No newline at end of file