shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: shelvacu:master
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
...
pull from: shelvacu:doofnet
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

10 Commits
master ... doofnet

Author SHA1 Message Date
Shelvacu
fce17b26d4 stuff 2025-03-17 18:14:50 -07:00
Shelvacu
6370602c9e stuff 2025-03-16 21:39:21 -07:00
Shelvacu
12d0e071c4 stuff 2025-03-16 21:26:36 -07:00
Shelvacu
cbf69716b6 stuff 2025-03-16 21:23:35 -07:00
Shelvacu
966b6978b1 stuff 2025-03-16 20:37:35 -07:00
Shelvacu
ef48b07adb what if no awootrip 2025-03-16 20:25:37 -07:00
Shelvacu
2f9a1fec52 wip 2025-03-16 20:25:34 -07:00
Shelvacu
d512c1b1a7 wip 2025-03-16 20:22:41 -07:00
Shelvacu
3461b7c3ee wip 2025-03-16 20:22:37 -07:00
Shelvacu
119d19d5eb wip 2025-03-16 20:21:57 -07:00
13 changed files with 550 additions and 97 deletions
Expand all files Collapse all files

10
common/sops-integrate.nix Normal file
View File

@@ -0,0 +1,10 @@
{
inputs,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

4
common/sops.nix
View File

@@ -70,4 +70,8 @@ in
{ {
options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile; options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops; options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
} }

6
compute-deck/default.nix
View File

@@ -52,12 +52,6 @@
jupiter-hw-support jupiter-hw-support
steamdeck-firmware steamdeck-firmware
steamdeck-bios-fwupd steamdeck-bios-fwupd
cargo
clippy
rust-analyzer
rustc
rustfmt
rustup
]; ];
# boot.kernelPatches = [ # boot.kernelPatches = [

2
flake.nix
View File

@@ -211,7 +211,7 @@
nixosConfigurations = { nixosConfigurations = {
triple-dezert = mkNixosConfig { triple-dezert = mkNixosConfig {
module = ./triple-dezert; module = ./triple-dezert;
inp = [ "most-winningest" ]; inp = [ "most-winningest" "sops-nix" ];
}; };
compute-deck = mkNixosConfig { compute-deck = mkNixosConfig {
module = ./compute-deck; module = ./compute-deck;

12
liam/sops.nix
View File

@@ -1,20 +1,10 @@
{ {
inputs,
lib,
config, config,
... ...
}: }:
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ ../common/sops-integrate.nix ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = { config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.dovecot-passwd = { sops.secrets.dovecot-passwd = {
restartUnits = [ "dovecot2.service" ]; restartUnits = [ "dovecot2.service" ];
}; };

102
secrets/triple-dezert/main.yaml Normal file
View File

@@ -0,0 +1,102 @@
wireguardKey: ENC[AES256_GCM,data:DKYfUoNLxjev3LfIx99OBMbxmqlAux73DLRN708lsW/dXRopPV2Dxb3DLg0=,iv:RpmOsqMVk2e/UK6hMFzNXvQx8XnWyu4Cgov+M7UbmA0=,tag:+nTZsL6usJSjtUbOn7140A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRTAvUkUvUkMxZ0NFR1Nu
VWxmM1RIQ1V5Y2J3c2xjbUY0a2YzOWZrN0R3CjdoYmJIYnA5MDZ6RFlXNnZaeVpS
M1pUeU9sekdqM0ZsZzd4aVJxemNPSlkKLS0tIE9FZWZ0WTZYYnNaSmZHc1AwT1ZU
Q0w4QTN5Y3dNMTJENkE2RWlWQVBaS3cK/1ZsmvL1SDgxbP/mtju5GzGeyDFYVGlk
08Xd0xLOszBZYrtgHv10aY7UnNdj5jHZNM5wFyXEnzkzg+qAIRtZSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNGwrMjF6eEQrQ2prcDIw
VUozR0hYTm9NZEp1b2tsayt3SVFPdEJyN0NnCm9oNjRVL3QvcjB5Y3E0MzRFSHZG
Z2MvNVBZNC9YY3pVNG1uNXRIeDlHTlEKLS0tIDk0Z2o0U3VnWEhjMUk0ekhtWm9h
RHRjVHIvbnV0VTRoMmVzYW1Cbi9rRHMKlaXxRini7/7/Do8eM/xo+6GYUrcJl/dB
zyYymQ4nmyGmdZIl7420bl9jKEt0aKKj0IAFSHYVSuhptK6MsdV59A==
-----END AGE ENCRYPTED FILE-----
- recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvL2Z4SVFoWDNVOUNnMlVV
Y0xwL1RRakJ0aFR5TXhnZHJqeXRtdDR5VURRClJOZ3RHVkpFTHl0dGhET1ZmUnZG
WTBxTjhiZFc3aFdqM25jYTB1SlR5em8KLS0tIGJJSHVsV3R6MmV3d2c0NVhkNTM4
MXJ1cU16TCtWRnpBWGhnc0F2VE9rUXMKOAWEBi4+fUfqtNF7DIIpla004YHQEgDC
mS0c1ylC662y46/iuwvbCWb56JAQsg5Z5VWQY30d4jG3j1WYhoVroA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvcGVTVzl3U3lTTVEyT1Vr
RGY3dzQvUmhvSWNjZm5XaGNMQXRHc2Q1SG1VCmdLdmJNQXJFZkt0TGtWUWM2eUFu
OTN5dlRubmg0MUpITStuL2dqdXBlU0EKLS0tIE9Md1JMZ2hvNTFxVDRtekNHUmRu
bGRlUWI5RkZXRkJpemxRTEJ0cHlSaVkK6TkhPO+Ai3kM/SK42dwsnHo9z1Qva2n2
6QZKZuTmDEQ0NMpoKqCaysTPEuLImpAg+1uppP2VXIjzsmq44g6lTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc01CSGppU0tWUmgrSmJF
Wkk1elBCUG5mcE1UOVJDQmk1RVZWWERTREVRCkZvc09qN0NIWjlibjRJUDJvK2E5
aXdoRFRka2xNa3RIeHdQZ1M4OU9MZncKLS0tIGp2cUU2ZnN6Y2JkWmt2dEcvc2Vz
RlFCeWo3dGE0UDI4K1FlZmxPclBHVGcK7EH+aGzfMkdLO15zGyVGVb0LirI/3Zy1
SDvBE2HamT6ZrRLiSeWUSgyZEoT0OiF+VdrSYDBQGwDMOQGKTz/0MQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWVVWM1EwMTA5Rm9pK0R0
d3VXdkpNTElxQ2F0STNIUnlhaTYyaTlYb0EwCk15eGxlV3FrYW1HVU1UTnpEalZP
NmNVY25ycCtOMlRSTXlFMGRWbC9xOWMKLS0tIFJETDNxMTlnRHJkMEQ1Y2VWOHBa
TEtkT05IZ3hKSzBKL2hScEJvaUVYYXcKJxyH9NKX9jNXPfmVzJ2iy0gPPm4oDH0E
hrZb15BGDSSTt78hPbD72SErZp0HMx0+iNXMdtWivHar42EwaNC72w==
-----END AGE ENCRYPTED FILE-----
- recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMjR4MitETHgrVm4wMldv
WldFOWpPVktwMmNQalEvb2IwRFZTR1pzanpFCnhIbUtXWXJ0eU9kVVdJY1NBTmRn
WU5GcTBqVVYzcEIvaWdkZlM2WnN1eUUKLS0tIDQ4WE1XRCtVd2NjanYrbHFMQjJ1
czdEQlFkRTRNMG5BN2xVaXJwRnZGb1UK66x5rIk51s8ODrQjb21VtXBHoCq77MvJ
wogUPYmb9Z9gAu7VY1v+7exxVR5div5jOfnP/ZS1bm7cag9QkrwRKw==
-----END AGE ENCRYPTED FILE-----
- recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2d01IaHNMQThtK1FzSzFS
SmhaVmwxRjI2Z2hPZklwSUc1TzlHMTVzRTJnCnRNRXd4WlVkNy9hN0I4T0NFaEd2
YVlyZFNBZFlHWmVqMGVxVHRnSG1XZnMKLS0tIFRVaGsrRWk1c0M4SEJOQm5Yc2pH
NjZTOWZiSnZya0N0R2hqOWVMbjcvKzQKZThtpBPRtQ1/Avl0oP+SuUjk/3indo7F
r0ujmmWyhMYLpN/rmrx92PaZmZiVhd5i24t1J6YHFH/sVJHS3pO1sw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1T1Z3OXMrZjA1dlJLS2ZL
QmVwRnpvdzh4SHpHbVRiVUdsbkI1c05wSlZRCkV4OEVPdjVvMHRZR0h3ZU93czlK
eE03UUNyMzlUN0U5a3JlUHowdkY0amMKLS0tIENkMlhrOC9FUkwzTVU1RXVDbTNl
Z0c2aFVmTGIwb1FBNGhyT3NNcFpDaVkKgxAa5nRN9UbnOsayzA4QYo8nVBvIrB1X
6NfNOREgqeVFteSLiWIJqrJdVzm4GIONawZ08cMZ2O1IYgqgi7pUMw==
-----END AGE ENCRYPTED FILE-----
- recipient: age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZGlNYjlzVjNlRnludk9O
MVd3NHFTbXJzKzVxRzN5cGZKQWpsMWNDMUNzCjVTS1ZzSkZrMTBXSVVQQ3E4cEJv
OG1LVER2VWgrSzl6WEh2OVV0UldOQTQKLS0tIHlPQk92MlVDbE4wSmlpMG5RNkty
ejJsSnNURTUrbm1RcmlhK28rMDhwZkUKR5y6B3rSdJqqb4KNhLeHvhIUgbAg878g
jSKi0GD9Vw3Wi5TsD8IyY317u582Q7Zidt6bxLyhG+3tYQMBuz3MZA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-17T03:55:19Z"
mac: ENC[AES256_GCM,data:7aPjw0ozNo7lKszRDj+6AnLO6l1MZw8c2saICV965IjD7GpH/SgDQAQQIWp7MZoZ1dv4p2E1iuG6tL9LufSNaYk/wYWDHilJ6MRYRjaL1GCCQgaMVkLNU7h61Y3khllui4SxkXc8wBM7CYwa/quCm4MYvvMXBif8nKi+a7/5IZw=,iv:4m6z64zDcCRwgGNlYsOwq8lBbm6VTtqdxn4mWAkG7ag=,tag:+X+capCZ9hgTbygeronz0w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

18
tests/liam.nix
View File

@@ -26,10 +26,7 @@ let
relayPass = "asdfghjkl"; relayPass = "asdfghjkl";
relayPassFile = pkgs.writeText "relay-password-file" "${relayUser}:${relayPass}"; relayPassFile = pkgs.writeText "relay-password-file" "${relayUser}:${relayPass}";
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF"; testSecrets = {
testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
sopsTestSecrets = {
"dovecot-passwd" = "dovecot-passwd" =
(lib.concatStringsSep "\n" ( (lib.concatStringsSep "\n" (
map (name: "${name}:{plain}${name}::::::") [ map (name: "${name}:{plain}${name}::::::") [
@@ -61,13 +58,7 @@ let
''; '';
relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}"; relay_creds = "[${relayDomain}]:587 ${relayUser}:${relayPass}";
}; };
sopsTestSecretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" ( sopsStub = import ./sopsStub.nix { inherit pkgs testSecrets; file = "liam/main.yaml"; };
builtins.toJSON sopsTestSecrets
);
sopsTestSecretsFolder = pkgs.runCommand "test-secrets-encrypted" { } ''
mkdir -p $out/liam
SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${sopsTestSecretsYaml} --output-type yaml > $out/liam/main.yaml
'';
in in
{ {
name = "liam-receives-mail"; name = "liam-receives-mail";
@@ -145,6 +136,7 @@ in
imports = [ imports = [
../common ../common
../liam ../liam
sopsStub.module
]; ];
vacu.underTest = true; vacu.underTest = true;
#systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}"; #systemd.tmpfiles.settings."69-whatever"."/run/secretKey".L.argument = "${testAgeSecretFile}";
@@ -158,14 +150,12 @@ in
"postfix.service" "postfix.service"
"dovecot2.service" "dovecot2.service"
]; ];
vacu.secretsFolder = "${sopsTestSecretsFolder}";
vacu.liam.relayhosts = { vacu.liam.relayhosts = {
shelvacuAlt = "[badhost.blarg]:587"; shelvacuAlt = "[badhost.blarg]:587";
allDomains = "[${relayDomain}]:587"; allDomains = "[${relayDomain}]:587";
}; };
system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
sops.age.keyFile = "/run/secretKey"; sops.age.keyFile = "/run/secretKey";
services.do-agent.enable = false; services.do-agent.enable = false;
virtualisation.digitalOcean = { virtualisation.digitalOcean = {
seedEntropy = false; seedEntropy = false;

28
tests/sopsStub.nix Normal file
View File

@@ -0,0 +1,28 @@
{
pkgs,
file,
testSecrets,
}:
let
inherit (builtins) isString isAttrs;
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgeSecretFile = pkgs.writeText "test-age-key" testAgeSecret;
secretsYaml = pkgs.writeText "test-secrets-plain.json.yaml" (
builtins.toJSON testSecrets
);
secretsFolder = pkgs.runCommand "test-secrets-encrypted" { } ''
mkdir -p $(dirname $out/${file})
SOPS_AGE_KEY="${testAgeSecret}" ${pkgs.sops}/bin/sops --verbose -e --age "$(echo "${testAgeSecret}" | ${pkgs.age}/bin/age-keygen -y)" ${secretsYaml} --output-type yaml > $out/${file}
'';
in
assert isString file;
assert isAttrs testSecrets;
{
inherit testSecrets secretsFolder testAgeSecret testAgeSecretFile;
module = {
vacu.secretsFolder = "${secretsFolder}";
system.activationScripts.sopsHack.text = "ln -s ${testAgeSecretFile} /run/secretKey";
system.activationScripts.setupSecrets.deps = [ "sopsHack" ];
sops.age.keyFile = "/run/secretKey";
};
}

257
tests/triple-dezert.nix
View File

@@ -1,9 +1,232 @@
{ nodes, ... }: { pkgs, lib, nodes, ... }:
# tun-sea.doof.net:53263
let
make-pubkey-deriv = privkey:
pkgs.runCommand "wireguard-pubkey.nix" {} ''
pubkey="$(echo ${lib.escapeShellArg privkey} | ${lib.getExe pkgs.wireguard-tools} pubkey)"
echo '"'"$pubkey"'"' > $out
''
;
pubkey-of = privkey:
import (make-pubkey-deriv privkey)
;
vlans = {
the_internet = 2;
lan = 3;
};
doof-wireguard-key = "dooftestAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
trip-wireguard-key = "triptestAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
address = address: prefixLength: { inherit address prefixLength; };
doof-tunnel-host = "tun-sea.doof.net";
doof-tunnel-ip = "205.201.63.44";
doof-shelvacu-ip = "205.201.63.13";
do-shelvacu-ip = "172.83.159.53";
router-ip = "97.113.74.146";
internet-pinger-ip = "1.2.3.4";
lan-pinger-ip = "10.78.76.69";
lan-routes = [
(address "10.78.76.0" 22)
(address do-shelvacu-ip 32) #digitalocean ip
(address "205.201.63.12" 32) #colin's doof ip
(address doof-shelvacu-ip 32) #my doof ip
];
internet-module = publicAddr: { ... }: {
config = {
virtualisation.interfaces.internet0.vlan = vlans.the_internet;
networking.interfaces.internet0.ipv4 = {
addresses = [ (address publicAddr 32) ];
routes = [
{
address = "0.0.0.0";
prefixLength = 0;
options.scope = "link";
}
{
address = "205.201.63.0";
prefixLength = 24;
via = doof-tunnel-ip;
options.scope = "global";
}
];
};
};
};
in
{ {
name = "trip-megatest"; name = "trip-megatest";
nodes.triple-dezert = defaults = {
users.users.test = {
password = "test";
isNormalUser = true;
extraGroups = [ "wheel" ];
};
# disable the default eth0 interface
virtualisation.qemu.networkingOptions = lib.mkForce [];
};
nodes.internet-pinger =
{ ... }:
{
imports = [ (internet-module internet-pinger-ip) ];
}
;
nodes.doof =
{ lib, config, ... }: { lib, config, ... }:
let
in
{
imports = [ (internet-module doof-tunnel-ip) ];
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
listenPort = 53263;
privateKeyFile = "${pkgs.writeText "doof-test-wg-key" doof-wireguard-key}";
peers = [
{
publicKey = pubkey-of trip-wireguard-key;
allowedIPs = [ "205.201.63.13/32" "2602:fce8:106:10::/64" ];
}
];
};
networking.interfaces.wg0.ipv4.routes = [ {
address = "205.201.63.13";
prefixLength = 32;
} ];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
};
}
;
# nodes.awoo =
# { pkgs, lib, ... }:
# let
# arping = lib.getExe' pkgs.iputils "arping";
# arping_hack_script = ''
# while true; do
# for ip in ${doof-tunnel-ip} ${router-ip} ${internet-pinger-ip}; do
# ${arping} -i eth0 -S 172.83.159.53 $ip -c 1 -w 20
# done
# sleep 5
# done
# '';
# in
# {
# systemd.services.arping-hack = {
# wantedBy = [ "openvpn-awootrip.service" ];
# script = arping_hack_script;
# };
# services.openvpn.servers.awootrip = {
# autoStart = true;
# up = ''
# PATH="${pkgs.iptables}/bin:${pkgs.iproute2}/bin:$PATH"
# PUBIP=172.83.159.53
# TUNIP=10.16.237.2
# TUNIP2=10.16.237.1
#
# iptables -F awootrip-forward
# iptables -A awootrip-forward -s $PUBIP/32 -i at4 -j ACCEPT
# iptables -A awootrip-forward -d $TUNIP/32 -o at4 -j ACCEPT
#
# ip route flush table awootrip
# ip rule add iif at4 lookup awootrip
# ip route add default via 45.142.157.1 dev eth0 table awootrip
#
# for dev in at4 eth0; do
# tc qdisc del dev $dev ingress || true
# tc qdisc del dev $dev root || true
#
# #tc qdisc add dev $dev root handle 1: htb
# tc qdisc add dev $dev ingress
# done
# # this is it! This is the magical stateless NAT
# tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip dst $PUBIP action nat ingress $PUBIP $TUNIP
#
# tc filter add dev at4 parent ffff: protocol ip prio 1 u32 match ip dst $TUNIP2 flowid ffff:1
# tc filter add dev at4 parent ffff: protocol ip prio 2 flowid ffff:2
#
# #tc filter add dev at4 parent ffff: protocol ip prio 1 u32 match ip src $TUNIP action nat egress $TUNIP $PUBIP
# tc filter add dev at4 parent ffff:2 protocol ip prio 100 u32 match ip src $TUNIP action nat egress $TUNIP $PUBIP
# '';
# config = ''
# dev at4
# dev-type tun
# ifconfig 10.16.237.1 10.16.237.2
# secret ${awootrip-key-file}
# cipher AES-256-CBC
#
# #keepalive 10 60
# #ping-timer-rem
# ping 1
# ping-restart 6
# persist-tun
# persist-key
#
# up-delay
#
# script-security 2
#
# #up awootrip/up.sh
# #down awootrip/down.sh
#
# tun-mtu 1500
# fragment 1300
# mssfix
#
# verb 4
# '';
# };
# virtualisation.interfaces.eth0.vlan = vlans.the_internet;
#
# networking.interfaces = {
# eth0.ipv4.addresses = [ (address "45.142.157.71" 0) ];
# at4 = {
# virtual = true;
# # proxyARP = true;
# };
# };
# }
# ;
nodes.router =
{ lib, config, ... }:
{
imports = [ (internet-module router-ip) ];
networking.nat = {
enable = true;
internalIPs = [ "10.78.76.0/22" ];
internalInterfaces = [ "lan0" ];
externalInterface = "internet0";
};
virtualisation.interfaces.lan0.vlan = vlans.lan;
networking.interfaces = {
lan0.ipv4 = {
addresses = [ (address "10.78.79.1" 32) ];
routes = lan-routes;
};
};
}
;
nodes.lan-pinger =
{ ... }:
{
networking.interfaces.lan0.ipv4 = {
addresses = [ (address lan-pinger-ip 32) ];
routes = lan-routes;
};
virtualisation.interfaces.lan0.vlan = vlans.lan;
}
;
nodes.triple-dezert =
{ pkgs, lib, config, ... }:
let let
domains = builtins.attrNames config.security.acme.certs; domains = builtins.attrNames config.security.acme.certs;
disableAcmes = builtins.listToAttrs ( disableAcmes = builtins.listToAttrs (
@@ -23,33 +246,38 @@
}; };
}) domains }) domains
); );
unitsToDisable = [ containers = builtins.attrNames config.containers;
"container@vacustore.service" containersToDisable = builtins.filter (n: n != "frontproxy") containers;
"container@nix-cache-nginx.service"
"openvpn-awootrip.service"
];
disableUnits = builtins.listToAttrs ( disableUnits = builtins.listToAttrs (
map (u: { map (containerName: {
name = u; name = "container@${containerName}.service";
value = { value = {
enable = lib.mkForce false; enable = lib.mkForce false;
}; };
}) unitsToDisable }) containersToDisable
); );
testSecrets = { wireguardKey = trip-wireguard-key; };
sopsStub = import ./sopsStub.nix { inherit pkgs testSecrets; file = "triple-dezert/main.yaml"; };
in in
{ {
imports = [ imports = [
../common ../common
../triple-dezert ../triple-dezert
sopsStub.module
]; ];
vacu.underTest = true; vacu.underTest = true;
systemd.services = disableAcmes // reEnableSelfsigned; systemd.services = disableAcmes // reEnableSelfsigned;
systemd.units = disableUnits; systemd.units = disableUnits;
#vacu.secretsFolder = ./test_secrets;
#sops.age.sshKeyPaths = [ ./test_key ];
boot.zfs.extraPools = lib.mkForce [ ]; boot.zfs.extraPools = lib.mkForce [ ];
security.acme.defaults.email = lib.mkForce "me@example.org"; security.acme.defaults.email = lib.mkForce "me@example.org";
security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only security.acme.defaults.server = lib.mkForce "https://example.com"; # self-signed only
vacu.network.doofPubKey = lib.mkForce (pubkey-of doof-wireguard-key);
virtualisation.interfaces."eno1" = {
vlan = vlans.lan;
};
networking.extraHosts = "${doof-tunnel-ip} ${doof-tunnel-host}";
}; };
# nodes.checker = { pkgs, lib, ... }: { # nodes.checker = { pkgs, lib, ... }: {
@@ -107,5 +335,10 @@
raise Exception("Timeout") raise Exception("Timeout")
triple_dezert.wait_for_open_port(80) triple_dezert.wait_for_open_port(80)
triple_dezert.succeed("curl -vv http://shelvacu.com/ --resolve shelvacu.com:80:127.0.0.1") triple_dezert.succeed("curl -vv http://shelvacu.com/ --resolve shelvacu.com:80:127.0.0.1")
# internet_pinger.succeed("curl -vv http://shelvacu.com/ip --resolve shelvacu.com:80:${do-shelvacu-ip}")
internet_pinger.succeed("curl -vv http://shelvacu.com/ip --resolve shelvacu.com:80:${doof-shelvacu-ip}")
# lan_pinger.succeed("curl -vv http://shelvacu.com/ip --resolve shelvacu.com:80:${do-shelvacu-ip}")
lan_pinger.succeed("curl -vv http://shelvacu.com/ip --resolve shelvacu.com:80:${doof-shelvacu-ip}")
''; '';
} }

65
triple-dezert/awootrip.nix
View File

@@ -1,4 +1,10 @@
{
config,
lib,
...
}:
let let
cfg = config.vacu.network;
prefix = "10.16.237."; prefix = "10.16.237.";
tripAddr = prefix + "2"; tripAddr = prefix + "2";
awooAddr = prefix + "1"; awooAddr = prefix + "1";
@@ -6,6 +12,11 @@ let
tunnelName = "awootrip"; tunnelName = "awootrip";
in in
{ {
vacu.network.ips = {
awootrip-trip = tripAddr;
awootrip-awoo = awooAddr;
awootrip-global = "172.83.159.53";
};
systemd.network.netdevs.${devName} = { systemd.network.netdevs.${devName} = {
netdevConfig = { netdevConfig = {
Kind = "tun"; Kind = "tun";
@@ -14,30 +25,34 @@ in
enable = true; enable = true;
}; };
systemd.network.networks."05-${tunnelName}net".extraConfig = '' systemd.network.networks."05-${tunnelName}net" = {
[Match] name = devName;
Name = ${devName} linkConfig.Unmanaged = false;
networkConfig = {
[Link] LinkLocalAddressing = false;
Unmanaged = no ConfigureWithoutCarrier = true;
};
[Network] addresses = [ {
LinkLocalAddressing = no addressConfig = {
ConfigureWithoutCarrier = yes Address = "${cfg.ips.awootrip-trip}/32";
Peer = "${cfg.ips.awootrip-awoo}/32";
[Address] Scope = "link";
Address = ${tripAddr}/32 };
Peer = ${awooAddr} } ];
Scope = link routes = lib.singleton {
Gateway = cfg.ips.awootrip-awoo;
[Route] Table = tunnelName;
Gateway=${awooAddr} };
Table=${tunnelName} routingPolicyRules = lib.singleton {
From = "${cfg.ips.awootrip-trip}/32";
[RoutingPolicyRule] Table = tunnelName;
From=${tripAddr} };
Table=${tunnelName} };
''; systemd.network.networks.${cfg.lan_bridge_network} = {
address = with cfg.ips; [
awootrip-global
];
};
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
if ! (iptables -t mangle -n --list ${tunnelName}-prerouting > /dev/null 2>&1); then if ! (iptables -t mangle -n --list ${tunnelName}-prerouting > /dev/null 2>&1); then
@@ -60,7 +75,7 @@ in
nobind nobind
dev ${devName} dev ${devName}
dev-type tun dev-type tun
ifconfig ${tripAddr} ${awooAddr} # ifconfig ${tripAddr} ${awooAddr}
secret /root/awootrip/awootrip.key secret /root/awootrip/awootrip.key
cipher AES-256-CBC cipher AES-256-CBC

4
triple-dezert/default.nix
View File

@@ -2,7 +2,7 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./awootrip.nix # ./awootrip.nix
./database.nix ./database.nix
#./vms.nix #./vms.nix
./networking.nix ./networking.nix
@@ -13,6 +13,8 @@
./sops.nix ./sops.nix
# ./disko.nix # ./disko.nix
./docker.nix ./docker.nix
../common/sops-integrate.nix
./doofnet.nix
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

65
triple-dezert/doofnet.nix Normal file
View File

@@ -0,0 +1,65 @@
{
lib,
config,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.network;
doof_if = "wg-doof";
tunnelName = "doofTun";
in
{
options.vacu.network.doofPubKey = mkOption {
type = types.str;
};
config = {
vacu.network.ips = {
doofStatic4 = "205.201.63.13";
doofStatic6 = "2602:fce8:106:10::1";
};
vacu.network.doofPubKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
sops.secrets.wireguardKey = {};
systemd.network.config.routeTables.${tunnelName} = 422;
systemd.network.config.addRouteTablesToIPRoute2 = true;
systemd.network.netdevs.${doof_if} = {
netdevConfig = {
Kind = "tun";
Name = doof_if;
};
wireguardConfig = {
# FirewallMark = "0xd00f";
PrivateKeyFile = config.sops.secrets.wireguardKey.path;
};
wireguardPeers = [ {
wireguardPeerConfig = {
PublicKey = cfg.doofPubKey;
Endpoint = "tun-sea.doof.net:53263";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
} ];
};
systemd.network.networks."15-doof" = {
name = doof_if;
routes = lib.singleton {
Table = tunnelName;
};
routingPolicyRules = [
# {
# To = cfg.ips.t2dSubnets;
# Type = "nop";
# }
{
From = "${cfg.ips.doofStatic4}/32";
Table = tunnelName;
}
];
};
systemd.network.networks.${cfg.lan_bridge_network} = {
address = [
"${cfg.ips.doofStatic4}/32"
"${cfg.ips.doofStatic6}/128"
];
};
};
}

74
triple-dezert/networking.nix
View File

@@ -1,8 +1,14 @@
# Partially based on https://astro.github.io/microvm.nix/simple-network.html # Partially based on https://astro.github.io/microvm.nix/simple-network.html
{ config, lib, ... }: { config, lib, ... }:
let let
bridge = config.vacu.network.lan_bridge; cfg = config.vacu.network;
bridge = cfg.lan_bridge;
lan_port = "eno1"; lan_port = "eno1";
lan_route = {
Gateway = cfg.ips.t2dRouter;
GatewayOnLink = true;
};
address = address: prefixLength: { inherit address prefixLength; };
in in
{ {
options = { options = {
@@ -11,17 +17,29 @@ in
default = "br-main"; default = "br-main";
readOnly = true; readOnly = true;
}; };
vacu.network.lan_bridge_network = lib.mkOption {
type = lib.types.str;
default = "01-lan-bridge";
readOnly = true;
};
vacu.network.ips = lib.mkOption {
type = lib.types.attrsOf lib.types.anything;
default = {};
};
}; };
config = { config = {
vacu.network.ips = {
t2dLANStatic = "10.78.79.237";
t2dSubnets = [ "10.78.76.0/22" "205.201.63.12/32" ];
t2dRouter = "10.78.79.1";
};
networking.useNetworkd = true; networking.useNetworkd = true;
systemd.network.enable = true; systemd.network.enable = true;
systemd.network.networks."00-lan".extraConfig = '' systemd.network.networks."00-lan" = {
Bridge = ${bridge} bridge = [ bridge ];
name = lan_port;
[Match] };
Name = ${lan_port}
'';
systemd.network.netdevs.${bridge} = { systemd.network.netdevs.${bridge} = {
netdevConfig = { netdevConfig = {
@@ -30,27 +48,29 @@ in
}; };
}; };
systemd.network.networks."01-lan-bridge".extraConfig = '' systemd.network.networks.${cfg.lan_bridge_network} = {
DHCP = no name = bridge;
Address = 172.83.159.53/32 DHCP = "no";
Address = 10.78.79.237/22 address = [
Gateway = 10.78.79.1 "${cfg.ips.t2dLANStatic}/22"
DNS = 10.78.79.1 ];
Domains = t2d.lan routes = [
(lan_route // {
Source = cfg.ips.t2dLANStatic;
Destination = "0.0.0.0/0";
})
(lan_route // {
Source = "0.0.0.0/0";
Destination = cfg.ips.t2dSubnets;
})
];
dns = [ cfg.ips.t2dRouter ];
};
[Match] systemd.network.networks."10-containers" = {
Name = ${bridge} linkConfig.Unmanaged = true;
name = "ve-*";
[Link] };
RequiredForOnline=routeable
'';
systemd.network.networks."10-containers".extraConfig = ''
Unmanaged = yes
[Match]
Name = ve-*
'';
networking.nat = { networking.nat = {
enable = true; enable = true;