Home Explore Help
Register Sign In
joepie91
/
morph-rc
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Commits 22 Releases 0 Wiki
Browse Source

Set up tinc VPN

Sven Slootweg 10 months ago
parent
fc564e4eab
commit
673ea37545
7 changed files with 89 additions and 0 deletions
Split View Show Diff Stats
  1. 12 0
      configuration/data/nodes.nix
  2. 1 0
      configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub
  3. 1 0
      configuration/data/tinc-keys/machine-haless-03.cryto.net.pub
  4. 7 0
      configuration/default.nix
  5. 62 0
      configuration/lib/tinc-configuration.nix
  6. 1 0
      deploy-secrets
  7. 5 0
      notes/tinc-key-setup.txt

+ 12 - 0
configuration/data/nodes.nix
View File 

@ -0,0 +1,12 @@
1 
{
2 
	"machine-haless-03.cryto.net" = {
3 
		ipv4 = "31.7.187.145";
4 
		internalIpv4 = "10.217.0.5";
5 
		tincPublicKey = builtins.readFile ./tinc-keys/machine-haless-03.cryto.net.pub;
6 
	};
7 
	"machine-borg2-01.cryto.net" = {
8 
		ipv4 = "205.185.121.93";
9 
		internalIpv4 = "10.217.0.6";
10 
		tincPublicKey = builtins.readFile ./tinc-keys/machine-borg2-01.cryto.net.pub;
11 
	};
12 
}

+ 1 - 0
configuration/data/tinc-keys/machine-borg2-01.cryto.net.pub
View File 

@ -0,0 +1 @@
1 
FZNH5Z50Tr/Ep0VpbnIBasUxekLteUphr5Vzi6ONrNH

+ 1 - 0
configuration/data/tinc-keys/machine-haless-03.cryto.net.pub
View File 

@ -0,0 +1 @@
1 
P4MOft3fYOHYpG0I58lYxdZm40u9CXhTH0jvuyIbKZP

+ 7 - 0
configuration/default.nix
View File 

@ -24,6 +24,8 @@ let
24 24 
		reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
25 25 
		letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
26 26 
	};
27 
	nodes = (import ./data/nodes.nix);
28 
	tincConfiguration = (import ./lib/tinc-configuration.nix);
27 29 
in {
28 30 
	network = {
29 31 
		inherit pkgs;
 
@ -33,10 +35,14 @@ in {
33 35 
	"machine-borg2-01.cryto.net" = { pkgs, lib, ... }: {
34 36 
		system.stateVersion = "18.09";
35 37
38 
		# FIXME: Why is this needed?
39 
		nixpkgs.overlays = [];
40
36 41 
		imports = [
37 42 
			presets.base
38 43 
			presets.kvm
39 44 
			./hardware-configurations/machine-borg2-01.nix
45 
			(tincConfiguration { hostname = "machine-borg2-01.cryto.net"; nodes = nodes; })
40 46 
		];
41 47
42 48 
		boot.loader.grub.device = lib.mkForce "/dev/vda";
 
@ -77,6 +83,7 @@ in {
77 83 
			presets.base
78 84 
			presets.kvm
79 85 
			./hardware-configurations/machine-haless-03.nix
86 
			(tincConfiguration { hostname = "machine-haless-03.cryto.net"; nodes = nodes; })
80 87 
		];
81 88
82 89 
		deployment.healthChecks.http = let

+ 62 - 0
configuration/lib/tinc-configuration.nix
View File 

@ -0,0 +1,62 @@
1 
/* TODO: Translate this to a service/module at some point? Something like 'cryto.network' that handles all the internal-networking stuff. */
2
3 
{ hostname, nodes, pingInterval ? 10 }:
4 
	{ lib, ... }: let
5 
		/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
6 
		generateConfiguration = options:
7 
			let
8 
				keys = builtins.attrNames options;
9 
				toPairs = map (key: {key = key; value = options.${key};});
10 
				createConfigEntries = map (item: "${item.key} = ${toString item.value}");
11 
			in
12 
				builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
13 
	in {
14 
		deployment.secrets = {
15 
			"tinc-key" = {
16 
				source = "../private/${hostname}/tinc-key.priv";
17 
				destination = "/etc/tinc/cryto/ed25519_key.priv";
18 
				owner = { user = "tinc.cryto"; };
19 
				action = [ "systemctl" "restart" "tinc.cryto.service" ];
20 
			};
21 
		};
22
23 
		services.tinc.networks.cryto = {
24 
			debugLevel = 3;
25
26 
			extraConfig = generateConfiguration {
27 
				AutoConnect = "yes";
28 
				PingInterval = pingInterval;
29 
			};
30
31 
			hosts = let
32 
				mapper = nodeName: nodeConfiguration:
33 
					lib.nameValuePair
34 
						/* NOTE: The below is because for a machine named `foo.bar-baz.net`, tinc expects a configuration file named `foo_bar_baz_net`. */
35 
						( builtins.replaceStrings [ "." "-" ] [ "_" "_" ] nodeName )
36 
						( generateConfiguration {
37 
							# Address = nodeName;
38 
							/* TODO: Figure out why a DNS name doesn't work here ("Error looking up machine-borg2-01.cryto.net port 655: Device or resource busy") */
39 
							Address = nodeConfiguration.ipv4;
40 
							Subnet = "${nodeConfiguration.internalIpv4}/32";
41 
							Ed25519PublicKey = nodeConfiguration.tincPublicKey;
42 
						} );
43 
			in lib.mapAttrs' mapper nodes;
44 
		};
45
46 
		networking.interfaces."tinc.cryto".ipv4.addresses = [{
47 
			address = nodes.${hostname}.internalIpv4;
48 
			prefixLength = 24;
49 
		}];
50
51 
		networking.firewall = {
52 
			allowedTCPPorts = [
53 
				655
54 
			];
55 
			allowedUDPPorts = [
56 
				655
57 
			];
58 
			trustedInterfaces = [
59 
				"tinc.cryto"
60 
			];
61 
		};
62 
	}

+ 1 - 0
deploy-secrets
View File 

@ -0,0 +1 @@
1 
SSH_USER=root morph --keep-result upload-secrets "$@" configuration/default.nix

+ 5 - 0
notes/tinc-key-setup.txt
View File 

@ -0,0 +1,5 @@
1 
# From the machine's `private` folder:
2 
nix-shell --command 'tinc --batch --config ./ -n cryto generate-ed25519-keys' --packages tinc_pre
3
4 
# NOTE: Change the machine name!
5 
mv ed25519_key.priv tinc-key.priv && sed -i -r 's/^Ed25519PublicKey = //' ed25519_key.pub && mv ed25519_key.pub ../../configuration/data/tinc-keys/machine-haless-03.cryto.net.pub