qenya/nixfiles
1
0
Fork 0
Code Issues 5 Pull requests Actions Activity

Compare commits

base: qenya:a206f63e6832ee15cc45df6f41f5c6ab02266db0
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
..
compare: qenya:efa2ce3940dffb7b390f93f1f236bf2056db5fcd
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

No commits in common. "a206f63e6832ee15cc45df6f41f5c6ab02266db0" and "efa2ce3940dffb7b390f93f1f236bf2056db5fcd" have entirely different histories.
a206f63e68 ... efa2ce3940

5 changed files with 30 additions and 131 deletions
Show stats Expand all files Collapse all files

33
hosts/yevaud/default.nix
View file

@ -4,9 +4,6 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./experiments/birdsong-dns.nix
./experiments/pennykettle.nix
]; ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
@ -17,6 +14,36 @@
users.users.qenya.extraGroups = [ "wheel" ]; users.users.qenya.extraGroups = [ "wheel" ];
qenya.base-server.enable = true; qenya.base-server.enable = true;
services.bind = {
# enable = true;
cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
forwarders = [ ];
listenOn = [ config.birdsong.hosts.yevaud.ipv4 ];
listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ];
zones = {
"birdsong.internal" = {
master = true;
# TODO: pick better email address for SOA record
file = pkgs.writeText "birdsong.internal.zone" ''
$TTL 60
$ORIGIN birdsong.internal.
birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 )
birdsong.internal. IN NS ns.birdsong.internal.
yevaud.c.birdsong.internal. IN A 10.127.1.1
yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1
ns.birdsong.internal. IN A 10.127.1.1
ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1
'';
};
};
};
networking.resolvconf.useLocalResolver = false;
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
randomcat.services.zfs.datasets = { randomcat.services.zfs.datasets = {
"rpool/state" = { mountpoint = "none"; }; "rpool/state" = { mountpoint = "none"; };
"rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; };

33
hosts/yevaud/experiments/birdsong-dns.nix
View file

@ -1,33 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.bind = {
# enable = true;
cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
forwarders = [ ];
listenOn = [ config.birdsong.hosts.yevaud.ipv4 ];
listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ];
zones = {
"birdsong.internal" = {
master = true;
# TODO: pick better email address for SOA record
file = pkgs.writeText "birdsong.internal.zone" ''
$TTL 60
$ORIGIN birdsong.internal.
birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 )
birdsong.internal. IN NS ns.birdsong.internal.
yevaud.c.birdsong.internal. IN A 10.127.1.1
yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1
ns.birdsong.internal. IN A 10.127.1.1
ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1
'';
};
};
};
networking.resolvconf.useLocalResolver = false;
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
}

85
hosts/yevaud/experiments/pennykettle.nix
View file

@ -1,85 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
networking.nat.externalInterface = "ens3";
networking.firewall.allowedUDPPorts = [ 51821 ];
containers."pennykettle1" = {
privateNetwork = true;
extraVeths."ve-pennykettle1" = {
hostAddress = "10.235.1.1";
localAddress = "10.235.2.1";
forwardPorts = [{ hostPort = 51821; }];
};
ephemeral = true;
autoStart = true;
bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path;
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.useDHCP = false;
networking.useHostResolvConf = false;
networking.firewall.allowedUDPPorts = [ 51821 ];
systemd.network = {
enable = true;
networks."10-ve" = {
matchConfig.Name = "ve-pennykettle1";
networkConfig.Address = "10.235.2.1/32";
# linkConfig.RequiredForOnline = "routable";
routes = [{
routeConfig = {
Gateway = "10.235.1.1";
Destination = "217.138.216.162/32";
};
}];
};
networks."30-protonvpn" = {
matchConfig.Name = "wg-protonvpn";
networkConfig = {
DefaultRouteOnDevice = true;
Address = [ "10.2.0.2/32" ];
DNS = "10.2.0.1";
};
linkConfig = {
RequiredForOnline = "yes";
ActivationPolicy = "always-up";
};
};
netdevs."30-protonvpn" = {
netdevConfig = {
Name = "wg-protonvpn";
Kind = "wireguard";
Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)";
};
wireguardConfig = {
ListenPort = 51821;
PrivateKeyFile = "/run/secrets/wg-key";
};
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
AllowedIPs = "0.0.0.0/0";
Endpoint = "217.138.216.162:51820";
PersistentKeepalive = 5;
};
}];
};
};
};
};
age.secrets.protonvpn-pennykettle1 = {
file = ../../../secrets/protonvpn-pennykettle1.age;
owner = "root";
group = "systemd-network";
mode = "640";
};
}

1
secrets.nix
View file

@ -10,7 +10,6 @@ let
wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya;
wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya;
wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya;
protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya;
}; };
in in
builtins.listToAttrs ( builtins.listToAttrs (

9
secrets/protonvpn-pennykettle1.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o
eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0
-> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA
wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860
-> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk
KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y
--- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c
¢¼ða'þš|<7C>‡N7N”†ÊT5]O¤0Säm<-1ë»ëª:d®„g¡^/ä†u7µïNû?XþMçûìÄì~Þs.9c¾C