joepie91
/
nixops-configuration
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN

Browse Source
master
Sven Slootweg 6 years ago
parent 8b857f8f1e
commit 6776baa4da
9 changed files with 148 additions and 40 deletions
Show Stats Download Patch File Download Diff File

18
lib/hosts.nix
Unescape Escape View File

@ -0,0 +1,18 @@
{
/* FIXME: Should NixOps not expose public IPs automatically through /etc/hosts? Why doesn't it? */
workbot = {
ipv4 = "148.251.195.23";
internalIpv4 = "10.217.0.1";
tincPublicKey = "OgsmaoK4WX0IYsH4QRnsYmX1ux0r9/UE7YrzOu2zW7K";
};
osmium = {
ipv4 = "80.255.0.137";
internalIpv4 = "10.217.0.2";
tincPublicKey = "6BxBIezR4htBFRqX8h5cG7ffbKrnoTeC2lIrFCiaxhF";
};
nijaxor = {
ipv4 = "64.187.233.73";
internalIpv4 = "10.217.0.3";
tincPublicKey = "jjhllUg3HeLpcU+XiWT5+FEl/moAZlUO7ll7J8n+5pG";
};
}

0
lib/low-ram-nix.nix → lib/presets/low-ram-nix.nix
Unescape Escape View File

23
lib/presets/track-service-metrics.nix
Unescape Escape View File

@ -0,0 +1,23 @@
{
systemd.extraConfig = ''
DefaultCPUAccounting=yes
DefaultIOAccounting=yes
DefaultIPAccounting=yes
DefaultBlockIOAccounting=yes
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
'';
services.cadvisor = {
enable = true;
port = 9333;
listenAddress = "0.0.0.0";
storageDriver = "stdout";
};
virtualisation.docker.enable = false;
networking.firewall.allowedTCPPorts = [
9333
];
}

46
lib/tinc/default.nix
Unescape Escape View File

@ -0,0 +1,46 @@
networkConfiguration:
let
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
generateConfiguration = options:
let
keys = builtins.attrNames options;
toPairs = map (key: {key = key; value = options.${key};});
createConfigEntries = map (item: "${item.key} = ${item.value}");
in
builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
mapAttrsetValues = mapper: attrset: builtins.listToAttrs (map (item: {
name = item;
value = mapper item attrset.${item};
}) (builtins.attrNames attrset));
in
nodeName:
{
services.tinc.networks = {
cryto = {
debugLevel = networkConfiguration.debugLevel;
ed25519PrivateKeyFile = networkConfiguration.nodes.${nodeName}.tincPrivateKeyFile;
extraConfig = generateConfiguration {
AutoConnect = "yes";
PingInterval = toString networkConfiguration.pingInterval;
};
hosts = mapAttrsetValues (node: nodeConfiguration: generateConfiguration {
Address = nodeConfiguration.ipv4;
Subnet = "${nodeConfiguration.internalIpv4}/32";
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
}) networkConfiguration.nodes;
};
};
networking.interfaces."tinc.cryto".ipv4.addresses = [{
address = networkConfiguration.nodes.${nodeName}.internalIpv4;
prefixLength = 24;
}];
networking.firewall.allowedTCPPorts = [
655
];
networking.firewall.allowedUDPPorts = [
655
];
}

29
lib/vpn.nix
Unescape Escape View File

@ -0,0 +1,29 @@
let
hosts = (import ./hosts.nix);
secrets = (import ../secrets.nix);
generateTincConfiguration = (import ./tinc);
in
generateTincConfiguration {
debugLevel = 3;
pingInterval = 10;
nodes = {
workbot = {
ipv4 = hosts.workbot.ipv4;
internalIpv4 = hosts.workbot.internalIpv4;
tincPublicKey = hosts.workbot.tincPublicKey;
tincPrivateKeyFile = secrets.workbot.tincPrivateKeyFile;
};
osmium = {
ipv4 = hosts.osmium.ipv4;
internalIpv4 = hosts.osmium.internalIpv4;
tincPublicKey = hosts.osmium.tincPublicKey;
tincPrivateKeyFile = secrets.osmium.tincPrivateKeyFile;
};
nijaxor = {
ipv4 = hosts.nijaxor.ipv4;
internalIpv4 = hosts.nijaxor.internalIpv4;
tincPublicKey = hosts.nijaxor.tincPublicKey;
tincPrivateKeyFile = secrets.nijaxor.tincPrivateKeyFile;
};
};
}

55
networks/default.nix
Unescape Escape View File

@ -1,36 +1,15 @@
let
secrets = import ../secrets.nix;
trackServiceMetrics = {
systemd.extraConfig = ''
DefaultCPUAccounting=yes
DefaultIOAccounting=yes
DefaultIPAccounting=yes
DefaultBlockIOAccounting=yes
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
'';
services.cadvisor = {
enable = true;
port = 9333;
listenAddress = "0.0.0.0";
storageDriver = "stdout";
};
virtualisation.docker.enable = false;
networking.firewall.allowedTCPPorts = [
9333
];
};
hosts = import ../lib/hosts.nix;
vpnConfiguration = import ../lib/vpn.nix;
in {
network.description = "Cryto";
workbot = {config, lib, pkgs, ...}@args:
{
imports = [
trackServiceMetrics
(import ../lib/presets/track-service-metrics.nix)
(vpnConfiguration "workbot")
];
config = {
@ -142,14 +121,14 @@ in {
static_configs = [{
targets = [
"localhost:9100"
"80.255.0.137:9100"
"64.187.233.73:9100"
"${hosts.osmium.ipv4}:9100"
"${hosts.nijaxor.ipv4}:9100"
];
}];
relabel_configs = [
(nameInstance "localhost:9100" "workbot")
(nameInstance "80.255.0.137:9100" "osmium")
(nameInstance "64.187.233.73:9100" "nijaxor")
(nameInstance "${hosts.osmium.ipv4}:9100" "osmium")
(nameInstance "${hosts.nijaxor.ipv4}:9100" "nijaxor")
];
} {
job_name = "systemd";
@ -157,14 +136,14 @@ in {
static_configs = [{
targets = [
"localhost:9333"
"80.255.0.137:9333"
"64.187.233.73:9333"
"${hosts.osmium.ipv4}:9333"
"${hosts.nijaxor.ipv4}:9333"
];
}];
relabel_configs = [
(nameInstance "localhost:9333" "workbot")
(nameInstance "80.255.0.137:9333" "osmium")
(nameInstance "64.187.233.73:9333" "nijaxor")
(nameInstance "${hosts.osmium.ipv4}:9333" "osmium")
(nameInstance "${hosts.nijaxor.ipv4}:9333" "nijaxor")
];
}
];
@ -204,8 +183,9 @@ in {
rev = "d7a09deda0916fa99920156e928d281a5bd3d97a";
sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726";
})
trackServiceMetrics
(import ../lib/low-ram-nix.nix)
(import ../lib/presets/track-service-metrics.nix)
(import ../lib/presets/low-ram-nix.nix)
(vpnConfiguration "osmium")
];
config = {
@ -266,8 +246,9 @@ in {
nijaxor = { config, lib, pkgs, ... }@args:
{
imports = [
(import ../lib/low-ram-nix.nix)
trackServiceMetrics
(import ../lib/presets/low-ram-nix.nix)
(import ../lib/presets/track-service-metrics.nix)
(vpnConfiguration "nijaxor")
];
config = {

7
systems/nijaxor.nix
Unescape Escape View File

@ -1,4 +1,5 @@
let
hosts = (import ../lib/hosts.nix);
removeNewlines = (import ../lib/util/remove-newlines.nix);
presetRootSsh = (import ../lib/presets/root-ssh.nix);
in {
@ -7,7 +8,7 @@ in {
presetQemuGuest = (import ../lib/presets/qemu-guest.nix);
in
{
deployment.targetHost = "64.187.233.73";
deployment.targetHost = hosts.nijaxor.ipv4;
/* Begin hardware configuration section */
boot.kernelModules = [ ];
@ -23,6 +24,10 @@ in {
};
};
networking = {
hostName = "nijaxor";
};
/* networking = {
hostName = "osmium";
defaultGateway6 = "2a01:4a0:4a::1";

3
systems/osmium_.nix
Unescape Escape View File

@ -1,4 +1,5 @@
let
hosts = (import ../lib/hosts.nix);
removeNewlines = (import ../lib/util/remove-newlines.nix);
presetRootSsh = (import ../lib/presets/root-ssh.nix);
in {
@ -7,7 +8,7 @@ in {
presetQemuGuest = (import ../lib/presets/qemu-guest.nix);
in
{
deployment.targetHost = "80.255.0.137";
deployment.targetHost = hosts.osmium.ipv4;
/* Begin hardware configuration section */
boot.kernelModules = [ ];

7
systems/workbot.nix
Unescape Escape View File

@ -1,4 +1,5 @@
let
hosts = (import ../lib/hosts.nix);
removeNewlines = (import ../lib/util/remove-newlines.nix);
presetRootSsh = (import ../lib/presets/root-ssh.nix);
in {
@ -6,7 +7,7 @@ in {
presetTools = (import ../lib/presets/tools.nix) args;
in
{
deployment.targetHost = "148.251.195.23";
deployment.targetHost = hosts.workbot.ipv4;
/* Begin hardware configuration section */
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
@ -35,6 +36,10 @@ in {
};
};
networking = {
hostName = "workbot";
};
system.stateVersion = "18.03";
} // presetRootSsh // presetTools;
}

Write Preview
Loading…
Cancel
Save