Set up a Tinc VPN
parent
6cec6c4a10
commit
00dc1a3366
@ -0,0 +1,12 @@
|
|||||||
|
{
|
||||||
|
"machine-haless-03.cryto.net" = {
|
||||||
|
ipv4 = "31.7.187.145";
|
||||||
|
internalIpv4 = "10.217.0.5";
|
||||||
|
tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub;
|
||||||
|
};
|
||||||
|
"machine-borg2-01.cryto.net" = {
|
||||||
|
ipv4 = "205.185.121.93";
|
||||||
|
internalIpv4 = "10.217.0.6";
|
||||||
|
tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub;
|
||||||
|
};
|
||||||
|
}
|
||||||
@ -0,0 +1 @@
|
|||||||
|
FZNH5Z50Tr/Ep0VpbnIBasUxekLteUphr5Vzi6ONrNH
|
||||||
@ -0,0 +1 @@
|
|||||||
|
P4MOft3fYOHYpG0I58lYxdZm40u9CXhTH0jvuyIbKZP
|
||||||
@ -0,0 +1,62 @@
|
|||||||
|
/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
|
||||||
|
|
||||||
|
{ hostname, nodes, pingInterval ? 10 }:
|
||||||
|
{ lib, ... }: let
|
||||||
|
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
|
||||||
|
generateConfiguration = options:
|
||||||
|
let
|
||||||
|
keys = builtins.attrNames options;
|
||||||
|
toPairs = map (key: {key = key; value = options.${key};});
|
||||||
|
createConfigEntries = map (item: "${item.key} = ${toString item.value}");
|
||||||
|
in
|
||||||
|
builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
|
||||||
|
in {
|
||||||
|
deployment.secrets = {
|
||||||
|
"tinc-key" = {
|
||||||
|
source = "../private/${hostname}/tinc-key.priv";
|
||||||
|
destination = "/etc/tinc/cryto/ed25519_key.priv";
|
||||||
|
owner = { user = "tinc.cryto"; };
|
||||||
|
action = [ "systemctl" "restart" "tinc.cryto.service" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.tinc.networks.cryto = {
|
||||||
|
debugLevel = 3;
|
||||||
|
|
||||||
|
extraConfig = generateConfiguration {
|
||||||
|
AutoConnect = "yes";
|
||||||
|
PingInterval = pingInterval;
|
||||||
|
};
|
||||||
|
|
||||||
|
hosts = let
|
||||||
|
mapper = nodeName: nodeConfiguration:
|
||||||
|
lib.nameValuePair
|
||||||
|
/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
|
||||||
|
( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
|
||||||
|
( generateConfiguration {
|
||||||
|
# Address = nodeName;
|
||||||
|
/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
|
||||||
|
Address = nodeConfiguration.ipv4;
|
||||||
|
Subnet = "${nodeConfiguration.internalIpv4}/32";
|
||||||
|
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
|
||||||
|
} );
|
||||||
|
in lib.mapAttrs' mapper nodes;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.interfaces."tinc.cryto".ipv4.addresses = [{
|
||||||
|
address = nodes.${hostname}.internalIpv4;
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [
|
||||||
|
655
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
655
|
||||||
|
];
|
||||||
|
trustedInterfaces = [
|
||||||
|
"tinc.cryto"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
# From the machine's `private` folder:
|
||||||
|
nix-shell --command 'tinc --batch --config ./ -n cryto generate-ed25519-keys' --packages tinc_pre
|
||||||
|
|
||||||
|
# NOTE: Change the machine name!
|
||||||
|
mv ed25519_key.priv tinc-key.priv && sed -i -r 's/^Ed25519PublicKey = //' ed25519_key.pub && mv ed25519_key.pub ../../configuration/data/tinc-keys/machine-haless-03.cryto.net.pub
|
||||||
Loading…
Reference in New Issue